A day's work of debugging and looking at mIRC revealed a buffer overflow vulnerability in mIRC 6.34. The exploit was tested on Windows XP SP3 English and Windows Vista SP0. The exploit uses a win32_exec payload to execute a calculator command. The exploit is triggered by sending a malicious payload to the server.
After registeration, users with upload permission can upload php files which can be accessed via a URL. The exploit file format is http://[target]/[path to kwalbum]/[path to store image]/[year]/[month]/shell.php and an example exploit file is http://[target]/[path to kwalbum]/items/08/10/shell.php
CCMS 3.1 is vulnerable to multiple Local File Inclusion vulnerabilities. An attacker can exploit these vulnerabilities by sending a crafted HTTP request containing malicious Local File Inclusion payloads. This can allow an attacker to read sensitive files from the server.
AdaptCMS Lite is vulnerable to Blind SQL Injection. This exploit uses a post request to the check_user.php page with a crafted user_name parameter. The exploit then iterates through the characters of the password and builds the hash. This exploit was discovered by StAkeR and published on 03/10/2008.
This vulnerability allows an authenticated user with upload permissions to replace any existing file on the server with a file of their choice. This can be used to overwrite critical system files such as boot.ini, resulting in a complete system compromise.
A Denial of Service vulnerability exists in Serv-U FTP Server versions 7.2.0.1 and 7.3. An attacker with upload permissions can send a malicious 'STOU' command to the server, causing it to crash.
An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server with a malicious SQL query. This can allow the attacker to gain access to sensitive information such as usernames, passwords, and other confidential data stored in the database.
VBA32 (VirusBlokAda) Personal Version 3.12.8.x suffers from a denial of service vulnerability that causes memory corruption and causing the software to crash while scanning a malformed archive.
IP Reg <= 0.4 is vulnerable to Blind SQL Injection. This exploit uses a benchmark method to extract the hash of the admin password. The exploit takes two arguments, the URL of the target and the user ID of the admin. The exploit then sends a request to the login.php page with a crafted SQL query. If the response time is greater than 3 seconds, it means that the query was successful and the character is appended to the hash. This process is repeated for all the characters of the hash.
This is one of the 2 Vulnerabilities of MS08-021. Tested on Windows xp professional SP1, GDi32.dll 5.1.2600.1106, kernel32.dll 5.1.2600.1106, ws2_32.dll 5.1.2600.0. calc.zip executes calculator, IE.zip and localhost.zip connects at localhost at port 230. On Windows Xp Sp2 only causes Denial of service. Vulnerable function guarded with a GS cookie. The function which copies data to stack has an exception handler which recovers from access violations so u cant exploit it by hitting next page.
Services By CQR