This exploit takes advantage of a stack-based overflow vulnerability in Microsoft Office Visio 2002 (xp) when parsing DXF files. By specially crafting a DXF file, an attacker can overwrite the EIP register and control the execution flow of the program. This exploit includes a modified alphanumeric shellcode that executes the calc.exe program.
Several XSRF existed in this CMS, attacker can use them for: changing admin password, change user type, or deface the website.
This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack-based buffer overflow. This results aribrary code execution under the context of user the user.
WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1.
This module exploits a code execution vulnerability in Mozilla Firefox <= 3.6.16 caused by nsTreeSelection element. The specific flaw exists within the way Firefox handles user defined functions of a nsTreeSelection element. When executing the function invalidateSelection it is possible to free the nsTreeSelection object that the function operates on. Any further operations on the freed object can result in remote code execution. This exploit module is only tested on win7 and used a Another JAVA ROP to defeat DEP/ASLR (due to there is no more non-aslr module in Firefox) and in my tests works reliably on Windows7. There is two version of this exploit XP and 7 and both use different method that used in MSF Exploit bounty !
For exploitation purpose on recent protections on windows 7 without any 3rd party (well flash is not 3rd party todays) , it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address. Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase. Step2: leak address of the shellcode with the same pointer and NewNumber trick. Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string. Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object. Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable.
This exploit is a buffer overflow vulnerability in the SAP GUI for Windows sapirrfc.dll ActiveX control. The vulnerability is triggered when a specially crafted Accept() method is called with a large string. This causes a stack-based buffer overflow, which can be used to execute arbitrary code.
Novell File Reporter Agent is vulnerable to a remote code execution vulnerability due to improper handling of XML data. An attacker can send a specially crafted XML request to the agent, which can be used to execute arbitrary code on the vulnerable system. This vulnerability was assigned CVE-2012-4959 and was discovered by @abysssec in 2012.
This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability exists in the UniteHostRouter service, due to the insecure usage of memcpy when parsing specially crafted 'To:' headers. The module has been tested successfully on Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 2003 SP2.
This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild.
Services By CQR