iBrowser is an image browser plugin for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor developed by net4visions. It allows image browsing, resizing on upload, directory management and more with the integration of the phpThumb image library. iBrowser suffers from a file inlcusion vulnerability (LFI) / file disclosure vulnerability (FD) when input passed thru the 'lang' parameter to ibrowser.php, loadmsg.php, rfiles.php and symbols.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.
This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted 'fmt' chunk.
This module allows remote attackers to execute arbitray commands on the affected system by abusing via Directory Traversal attack when using the 'xf' command (execute function). An attacker can execute system() from msvcrt.dll to upload a backdoor and gain remote code execution.
This exploit is written to bypass the OptIn/OptOut DEP policy of Mini-Stream 2.9.7. It is tested on Windows XP SP3 running in virtualbox. The exploit creates a malicious .m3u file which contains a buffer of 26084 A's followed by the return address of MSRfilter01.dll, a ROP chain to compensate for the stack alignment and a shellcode to execute calc.exe.
The getSubKeys() method is vulnerable to a remote sql injection attack.
service.exe is a service listening on port 11234. Initially I started to test this software as usual by checking all the operations performed by the various opcodes which are divided in a group identified by the second byte of the packet while the first one is the opcode for the final operation. The function that handles the various groups and opcodes is available at offset 004061F0. The problem is that there are so much security vulnerabilities and design problems in this service that makes non convenient to continue the tests so after the checking of the opcodes of the 'F' group and a quick scan of the others I stopped any test to avoid to waste other time. It means that there are for sure other vulnerabilities but the ones found are enough to consider this software as insecure.
RsvcHost.exe and RNADiagReceiver.exe listen on ports 4446 and others. These services use RnaUtility.dll which doesn't handle the 32bit size field located in the 'rna' packets with results like a memset zero overflow and invalid read access.
This module exploits a stack-based buffer overflow vulnerability in version 5.3.11.1230 of scadaTEC's ScadaPhone. In order for the command to be executed, an attacker must convince someone to load a specially crafted project zip file with ScadaPhone. By doing so, an attacker can execute arbitrary code as the victim user.
The WordPress WP e-Commerce plugin version 3.8.6 is vulnerable to a SQL injection attack. The vulnerability exists in the chronopay.php file, which contains a callback function that is vulnerable to a SQL injection attack. The attack is possible due to the lack of input validation on the 'cs1' parameter, which is passed to the SQL query. An attacker can exploit this vulnerability by sending a specially crafted POST request with malicious SQL code in the 'cs1' parameter.
A security vulnerability was discovered in the Windows Internet Name Service (WINS). The vulnerability could allow elevation of privilege if a user receives a specially crafted WINS replication packet on an affected system running the WINS service. An attacker must have valid logon credentials and be able to log on locally in order to exploit this vulnerability. Malicious packets are processed by the vulnerable function 'ECommEndDlg', reported in MS11-035, but this time the pointers handled by this function are controlled by the attacker.
Services By CQR