Appending "%00" to the end of a CGI script filename allows a remote client to view the full contents of the script if the CGI module option "allow CGIs anywhere" is enabled. This vulnerability can be exploited by accessing the script through a URL like "http://target/script.cgi%00". The "%00" can be replaced with "%G0", "%W0", "%EW", "%FG", "%UW", or "%VG" to achieve the same results.
When an NT user uses the Recycle Bin for the first time on a given partition, a folder is created in the Recycler folder on that partition with the name of the new folder set to the user's SID. When this happens, appropriate permissions are set to prevent other users from accessing files in that folder. However, if that folder does not yet exist, a local attacker can create it, set arbitrary permissions, and then later access any files deleted by the user. The files themselves will retain their original permissions, but if the attacker gives him/herself Full Access to the user's Recycler folder they can overwrite files with arbitrary content.This vulnerability only applies to NTFS partitions, as there is no local access control on any files on a FAT partition.
The exploit takes advantage of unchecked buffers in the code that handles certain commands in Tiny FTPd. By exploiting these overflows, an attacker can overwrite the stack and execute arbitrary code. This specific exploit uses the STOR overflow to create a registry key and entry that modifies IE's security settings. The exploit then starts IE and loads a webpage that triggers the execution of ActiveX code.
Microsoft's Java Virtual Machine allows a remote Java application to read local file information in two ways. The first method is using the getSystemResourceAsStream() function, which requires specifying the filename and restricts the file to certain paths. The second method is using the getSystemResource() function, which accepts the '../' string in the pathname, allowing access to any file on the same drive as the Java installation.
There is an unchecked buffer in the code that parses the GET requests, and a request of 537 bytes or longer will overwrite the EIP register. This overflow can allow arbitrary code to be run on the machine by a remote attacker. There are also many other unchecked buffers in the code, each of which could potentially be exploited in this manner.
The Mirabilis ICQ client is vulnerable to a remote buffer overflow. When the client parses a URL received from another user inside a message, it does not perform bounds checking on the length of the URL. This allows an attacker to overwrite the EIP (instruction pointer) and execute arbitrary code on the target host.
Allows running any file, bypassing virtualization policy and conducting phishing attacks
This is an exploit for the locale format string vulnerability in Solaris/SPARC 2.7 / 7. The exploit allows an attacker to execute arbitrary code with the privileges of the vulnerable program. The exploit is based on the exploit by Warning3 and was modified by Solar Eclipse. The exploit uses a format string vulnerability in the Solaris/SPARC operating system to overwrite the return address and execute shellcode.
The w3-msql cgi-program, shipped with Mini-SQL, is vulnerable to multiple buffer overflow vulnerabilities. One of these vulnerabilities has been proven to be exploitable. The exploit involves overflowing the stack inside a scanf() call using the content-length field. By exploiting this vulnerability, an attacker can execute arbitrary code remotely with the privileges of the webserver (usually nobody).
Netscape Communicator 4.5 has an unchecked buffer, through which code can be injected for execution via the prefs.js preferences file. This could be exploited locally to run arbitrary code at the privilege level of the current user.
Services By CQR
