This exploit is based on the OLE Remote Code Execution vulnerability identified as MS14-060 (CVE-2014-4114). It creates a blank PowerPoint show (ppsx) file to exploit the vulnerability. The script will also create the INF file and an optional Meterpreter reverse_tcp executable with the -m switch. Alternatively, you can host your own exectuble payload. Host the INF and GIF (EXE) in an SMB share called 'share'.
The Finger Server is a perl script for providing .plan-like functionality through a website. Due to insufficient input checking, it is possible for remote unauthenticated users to execute shell commands on the server which will run with the privileges of the webserver. A request like: http://target/finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.|<shell command>| will cause the server to execute whatever command is specified.
The PDOSessionHandler class allows to store sessions on a PDO connection. Under some configurations (see below) and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. An application is vulnerable when it is using PDOSessionHandler to store its sessions, it uses MySQL as a backend for sessions managed by PDOSessionHandler, and the SQL mode does not contain STRICT_ALL_TABLES or STRICT_TRANS_TABLES (check via SELECT @@sql_mode).
This exploit leads to unsigned code execution with kernel privilages. KVA Shadowing should be disabled and the relevant security update should be uninstalled. This may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3.
Speculative Execution Side-Channel Vulnerability is a type of vulnerability that exploits the speculative execution process of modern processors. It is a vulnerability that allows an attacker to access sensitive data from the processor’s memory by exploiting the speculative execution process. The attacker can use this vulnerability to gain access to sensitive data such as passwords, encryption keys, and other confidential information. The vulnerability is caused by the processor’s speculative execution process, which is used to improve performance by predicting which instructions will be executed and pre-executing them. This process can be exploited by an attacker to gain access to sensitive data.
The JavascriptNativeFloatArray::SetItem function does not check the double value given as the parameter. If the double value given as the parameter equals to JavascriptNativeFloatArray::MissingItem, it converts the float array to a var array. This can lead to type confusion.
An attacker can inject malicious JavaScript code into the Status box of the WebSocket Live Chat application, which will be executed when someone opens the profile of the attacker.
The Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object. A proof-of-concept is provided which needs to be hosted on a webserver to work and only works on 32-bit systems.
There is a type confusion issue in the TextFormat constructor that is reachable because the FileReference constructor does not verify that the incoming object is of type Object (it only checks that the object is not native backed). The TextFormat constructor first sets a new object to type TextFormat, and then calls into script several times before setting the native backing object. If one of these script calls then calls into the FileReference constructor, the object can be set to type FileReference, and then the native object will be set to the TextFormat, leading to type confusion.
If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
Services By CQR