This exploit allows an attacker to execute arbitrary code on a vulnerable Concrete CMS v5.4.1.1 installation. The attacker must first create an XSS payload in the index.html file, then send the payload to the admin. The attacker then listens on a specified port for the target to connect, and then confirms the target's URL. The attacker then obtains the cookie and checks for admin access. If admin access is confirmed, the attacker determines the upload nounce and uploads a shell. The attacker then looks for the shell and enters an interactive remote console.
PhpGedView is a revolutionary genealogy program which allows users to view and edit their genealogy on their website. A vulnerability exists in PhpGedView versions 4.2.3 and earlier which allows an attacker to read arbitrary files on the server. This is done by exploiting the modules/ directory which is vulnerable to Local File Inclusion (LFI). By exploiting this vulnerability, an attacker can read the /etc/passwd file on the server.
Nucleus CMS version 3.61 is vulnerable to multiple Remote File Include (RFI) vulnerabilities. The vulnerable files are action.php, media.php, server.php and PLUGINADMIN.php. An attacker can exploit these vulnerabilities by sending a malicious URL to the application. This URL contains the malicious payload which is then executed on the server.
This exploit sends a large amount of data to the USER command of the Xynph 1.0 FTP server, causing it to crash. The exploit is written in Python and can be run from the command line.
A remote code execution vulnerability exists in S40 CMS v.0.4.1 beta due to improper validation of user-supplied input. An attacker can exploit this vulnerability by sending a maliciously crafted request to the vulnerable application. This can allow the attacker to change the admin username and password, which can be used to gain access to the application.
Wireshark ENTTEC DMX Data (UDP) is prone to a buffer overflow vulnerability when sending a specially crafted packet to the vulnerable service. This vulnerability can be exploited by an attacker to execute arbitrary code in the context of the application. This vulnerability was discovered by non-customers crew in 2010.
The application crashes when it tries to convert a malformed midi file. A vulnerable file is created by writing a buffer of 1337 bytes of the hexadecimal value 0x1337 to a midi file. When the midi file is opened with the application, it crashes.
Sahana Agasti version 0.6.4 and prior is vulnerable to multiple remote file include. This vulnerability allows an attacker to include a remote file, usually through a malicious URL, and execute arbitrary code on the vulnerable server. The vulnerable code can be found in sahana-phase2/mod/vm/controller/AccessController.php and sahana-phase2/mod/vm/model/dao.php, where the attacker can inject malicious code into the global[approot] parameter.
This exploit uses SetProcessDEPPolicy() to disable DEP for the process. It creates a file exploit.plf which contains a payload of 220 bytes of 'A' followed by the address of POP ECX / RETN - SHELL32.DLL 7C9FB028, 4 bytes of 'B', 10 bytes of NOP, ROP chain to set EBX to 0xFFFFFFFF, EBP to point to SetProcessDEPPolicy, EAX to 0x00000001 and EDX to 0x00000000, and finally shellcode.
This exploit is based on a vulnerability in the Windows Class handling. The vulnerability is caused by a buffer overflow in the MenuWindowProcA function in the USER32.DLL library. The exploit sets the pointer value of the (soon to be) popup menu structure to 0x80808080 and then sets WND->fnid = FNID_MENU. This triggers the ExPoolFree(0x80808080) function, which can lead to a denial of service or arbitrary code execution.
Services By CQR