automatic module_metadata_base.json update

2020-10-15 12:53:47 -05:00
parent 43e412f3f2
commit 2e1122ca98
1 changed files with 61 additions and 6 deletions
@@ -68624,17 +68624,20 @@
    "type": "exploit",
    "author": [
      "saelo",
-      "timwr"
+      "timwr",
+      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "This modules exploits a type confusion in Google Chromes JIT compiler.\n      The Object.create operation can be used to cause a type confusion between a\n      PropertyArray and a NameDictionary.\n        The payload is executed within the rwx region of the sandboxed renderer\n      process, so the browser must be run with the --no-sandbox option for the\n      payload to work.",
+    "description": "This modules exploits a type confusion in Google Chromes JIT compiler.\n          The Object.create operation can be used to cause a type confusion between a\n          PropertyArray and a NameDictionary.\n          The payload is executed within the rwx region of the sandboxed renderer\n          process.\n          This module can target the renderer process (target 0), but Google\n          Chrome must be launched with the --no-sandbox flag for the payload to\n          execute successfully.\n          Alternatively, this module can use CVE-2019-1458 to escape the renderer\n          sandbox (target 1). This will only work on vulnerable versions of\n          Windows (e.g Windows 7) and the exploit can only be triggered once.\n          Additionally the exploit can cause the target machine to restart\n          when the session is terminated. A BSOD is also likely to occur when\n          the system is shut down or rebooted.",
    "references": [
      "CVE-2018-17463",
      "URL-http://www.phrack.org/papers/jit_exploitation.html",
      "URL-https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce",
      "URL-https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf",
-      "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=888923"
+      "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=888923",
+      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
    ],
-    "platform": "OSX,Windows",
+    "platform": "Linux,OSX,Windows,Windows",
    "arch": "x64",
    "rport": null,
    "autofilter_ports": [
@@ -68644,9 +68647,10 @@

    ],
    "targets": [
-      "Automatic"
+      "No sandbox escape (--no-sandbox)",
+      "Windows 7 (x64) sandbox escape via CVE-2019-1458"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2020-10-15 11:53:39 +0000",
    "path": "/modules/exploits/multi/browser/chrome_object_create.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/chrome_object_create",
@@ -134188,6 +134192,57 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/cve_2019_1458_wizardopium": {
+    "name": "Microsoft Windows Uninitialized Variable Local Privilege Elevation",
+    "fullname": "exploit/windows/local/cve_2019_1458_wizardopium",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-10",
+    "type": "exploit",
+    "author": [
+      "piotrflorczyk",
+      "unamer",
+      "timwr"
+    ],
+    "description": "This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability\n          within win32k which occurs due to an uninitalized variable, which allows user mode attackers\n          to write a limited amount of controlled data to an attacker controlled address\n          in kernel memory. By utilizing this vulnerability to execute controlled writes\n          to kernel memory, an attacker can gain arbitrary code execution\n          as the SYSTEM user.\n\n          This module has been tested against Windows 7 x64 SP1. Offsets within the\n          exploit code may need to be adjusted to work with other versions of Windows.\n          The exploit can only be triggered once against the target and can cause the\n          target machine to reboot when the session is terminated.",
+    "references": [
+      "CVE-2019-1458",
+      "URL-https://github.com/unamer/CVE-2019-1458",
+      "URL-https://github.com/piotrflorczyk/cve-2019-1458_POC",
+      "URL-https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/",
+      "URL-https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows 7 x64"
+    ],
+    "mod_time": "2020-10-09 20:58:47 +0000",
+    "path": "/modules/exploits/windows/local/cve_2019_1458_wizardopium.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/cve_2019_1458_wizardopium",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-os-restarts"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/local/cve_2020_0668_service_tracing": {
    "name": "Service Tracing Privilege Elevation Vulnerability",
    "fullname": "exploit/windows/local/cve_2020_0668_service_tracing",