Questions tagged [exploit]
The data, tools, and procedures which, when applied to a specific vulnerability, predictably violate the security design of a system.
1,302
questions
1
vote
1
answer
24
views
Opening PowerShell (PS) session with STs
I am solving Tryhackme> Exploiting Active Directory > Task 3. At very last, how new powershell session is opening with the dumped Service Tickets (STs)? He typed this command...
PS> New-...
1
vote
0
answers
46
views
Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?
Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget?
My understanding of JOP:
In jump-...
0
votes
0
answers
26
views
Jump-Oriented Programming: Harder than ROP because the registers need to be prepared individually? + Turing complete, but large overhead/slow?
Full title: Jump-Oriented Programming: Is it harder than traditional return-oriented programming because you need to manually prepare all the addresses and registers or is there a different reason?
...
2
votes
0
answers
76
views
When gets reads a string, it does not read \x00, which is the NULL character. So how to separate two different addresses to complete ROP?
First I used ROPgadget to find two assembly instructions:
xor rax; ret and pop rcx; ret,
They are at 0x401270 and 0x40133b.
Then I tried to put them at the top of the stack, but because the gets ...
0
votes
0
answers
56
views
Buffer Overflow shell
I'm trying to exploit the code posted by ir0nstone at this link https://ir0nstone.gitbook.io/notes/types/stack/shellcode.
I followed any of the steps listed in the tutorial, ASLR is not enabled on my ...
0
votes
0
answers
80
views
how to exploit CVE-2023-1613
I am trying to understand the vulnerability in Rebuild in chromium which is identified as CVE-2023-1613.
I found this poc online: https://github.com/getrebuild/rebuild/issues/596
What I understood so ...
1
vote
1
answer
135
views
Does PDF level compression implicitly cleans file of malware?
Recently I've been looking into PDF files security, specifically about malware exploiting vulnerabilities in PDF readers. I thought about one thing - does compressing PDF file (for example, by using ...
2
votes
1
answer
166
views
Can I use SELinux to add an extra layer of protection against 0-day VM escape exploits in KVM/QEMU?
My host is Fedora, and I want to add an extra layer of protection against 0day KVM/QEMU exploits that execute code on the host. For example there have been CVEs where if we run a specially crafted ...
0
votes
1
answer
148
views
How are virus or exploits tested without being detected?
I was wondering how threat actors actually test their exploits without them being automatically detected and added to the library of an antivirus detection system, thereby being marked as useless and ...
1
vote
2
answers
182
views
How does malware work when compressed?
I have read up on compressed folders of file types such as .zip, .rar and .7zip being the malicious file itself (excluding cases such as an .exe file being disguised as a .zip file etc...), only ...
1
vote
1
answer
94
views
Metasploit search features returns intersection of results
When I use multiple search criteria in Metasploit it shows the results as an "or" rather than an "and". I see that this was asked several years ago so now I am wondering if this ...
0
votes
0
answers
109
views
Cache poisoning from rfc6455 (WebSockets) not requiring server message to be masked?
In RFC6455 section 10.3, it explains why they have made clients mask their outgoing frames (so that a malicious server cannot manipulate a client into sending something in plaintext, as the message ...
2
votes
2
answers
286
views
How malware triggers without user running an executable?
It is known that downloading a file without actually executing it can be a security vulnerability, if the operating system does something which is not known by the user. See here for some good answers....
0
votes
1
answer
335
views
SSRF trough Gopher
Gopher protocol is used a lot when exploiting SSRF, but how?
a Gopher URL takes the form:
gopher://<host>:<port>/<gopher-path>
but let's take this example:
gopher://10.10.10.3:80/...
0
votes
0
answers
234
views
how to exploit read -p in bash script
i wanna execute ls command inplace of the output being "your name is ls"
is there a way to do it ?
read -p "name??" name
echo "your name is $name"