This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. After version 1.7.0.12, this package was renamed 'UplusFtp'. This exploit utilizes a small piece of code that I've referred to as 'fixRet'. This code allows us to inject a payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information.
This module exploits a buffer overflow in Gekko Manager ftp client, triggered when processing the response received after sending a LIST request. If this response contains a long filename, a buffer overflow occurs, overwriting a structured exception handler.
This module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed.
This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending an overly long string we are able to overwrite SEH. The vulnerability exists when netcat is used to bind (-e) an executable to a port in doexec.c. This module tested successfully using "c:>nc -L -p 31337 -e ftp".
This exploit targets a vulnerability in Internet Explorer's createTextRang function. It allows remote attackers to gain access to the system. The exploit uses a faster version of the heap spraying code developed by SkyLined.
The Joomla Captcha Plugin <= 4.5.1 is vulnerable to a local file disclosure vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the 'playcode.php' file. By manipulating the 'lng' parameter in the request, an attacker can disclose the contents of arbitrary files on the server, such as the '/etc/passwd' file.
The Tomcat Server, which listens for incoming connections on port 8014, carries a world accessible Apache Axis2 Web Service with default credentials. By uploading a well-constructed .aar (axis2 service) file by accessing the http://host:8014/WebServiceImpl/axis2-admin/upload URL, then interrogating it trough a SOAP request, it is possible to execute arbitrary code with NT AUTHORITYSYSTEM privileges. A proof-of-concept written in PHP is provided which automates the process and an .aar file is included which remotely executes calc.exe.
The vulnerability is caused by an integer division by zero in the JPEG2000.dll module of IrfanView 4.27. By providing a specially crafted JP2 file, an attacker can trigger this vulnerability and cause a denial of service condition.
This is a remote root exploit for THCimail 0.1. The exploit allows an attacker to gain root access on a vulnerable system. The exploit was discovered by Johnny Cyberpunk and can be compiled using MS Visual C++. It is recommended to apply the necessary patch or upgrade to a non-vulnerable version of the software to mitigate this vulnerability.
PhpMyAdmin allows inserting text and restricted tags like BBCode. By using the [a@url@page]Click Me[/a] tag, an attacker can insert their own page and redirect all users. This can be exploited by injecting special tags in the error.php file.
Services By CQR