The value of the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter submitted to the URL /Main/frmContact.aspx is copied into the HTML document as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The payload Expression was submitted in the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This input was returned unmodified in a subsequent request for the URL /Main/frmPopupContactsList.aspx.
This is the exploit used in MJ Keith's Austin bsides presentation that returns a shell. The exploit uses a JavaScript function heap() to create an array of 300 elements, 130 of which are filled with scode and the remaining with scode2 and shell. The shell contains the port and IP address of the target machine.
This exploit is for CVE-2010-4077 which leaks kernel stack space back to userland due to uninitialized struct member 'reserved' in struct serial_icounter_struct copied to userland. It uses ioctl to trigger memory leak, dumps to file and displays to command line.
ABBS Audio Media Player 3.0 is vulnerable to a stack buffer overflow. The vulnerability is triggered when a specially crafted .m3u or .lst file is opened. The exploit code creates a file named exploit.lst which contains a buffer of 4108 bytes followed by a return address and a jump backwards 4116 bytes. The return address points to a jmp esp instruction located at user32.dll. The shellcode is a WinExec call to calc.exe.
This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.
A SQL injection vulnerability exists in Cover Vision, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the 'content.php' script. An example of exploiting this vulnerability is by sending a crafted HTTP request containing a malicious SQL statement to the vulnerable server, such as 'http://server/content.php?id=-1+union+select+1,2,3,4,version(),6,7,8,9,10,11,12,13'.
This exploit is used to cause a denial of service (DoS) attack on a vulnerable version of PHP. The exploit uses the ftok() and shmop_open() functions to create a shared memory segment of size 2147483647 bytes. If the segment is successfully created, then the vulnerable version of PHP is confirmed.
This module exploits a chain of vulnerabilities in the Accellion File Transfer appliance. This appliance exposes a UDP service on port 8812 that acts as a gateway to the internal communication bus. This service uses Blowfish encryption for authentication, but the appliance ships with two easy to guess default authentication keys. This module abuses the known default encryption keys to inject a message into the communication bus. In order to execute arbitrary commands on the remote appliance, a message is injected into the bus destined for the 'matchrep' service. This service exposes a function named 'insert_plugin_meta_info' which is vulnerable to an input validation flaw in a call to system(). This provides access to the 'soggycat' user account, which has sudo privileges to run the primary admin tool as root. These two flaws are fixed in update version FTA_8_0_562.
The CMS suffers from several vulnerabilities (SQL and XSS). The sql issue can be triggered when the app tries to parse malicious arguments to the 'page_id' in the /xmlOutput/constructrXmlOutput.content.xml.php script with user input not validated. The result can be seen in the source code of the page itself. The xss issue (GET) is thru 'user' and 'hash' parameter in the /backend/login.php script.
An attacker can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Services By CQR