Lattice Diamond Programmer is vulnerable to client-side attacks, allowing remote attackers to run arbitrary code by sending specially crafted '.xcf' files.
A nonprivileged user can crash any 32 or 64-bit non-Intel machine running Solaris 7 by executing the 'more /proc/self/psinfo' command. This vulnerability is caused by a bug in the Solaris 7 procfs.
This exploit takes advantage of a buffer overflow vulnerability in Mini-stream Software's URL Hunter software. It bypasses the DEP (Data Execution Prevention) protection mechanism. The exploit code allows an attacker to execute arbitrary code by overwriting the return address with a shellcode. The shellcode calls the MessageBoxA function to display the message 'PWNED by Ayrbyte...! ^_^'.
This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an '#EXTINF:' tag description, iTunes will copy the content after '#EXTINF:' without appropriate checking from a heap buffer to a stack buffer and write beyond the stack buffers boundary. This allows arbitrary code execution. The Windows XP target has to have QuickTime 7.7.2 installed for this module to work. It uses a ROP chain from a non safeSEH enabled DLL to bypass DEP and safeSEH. The stack cookie check is bypassed by triggering a SEH exception.
The vulnerability in the pkgadjust utility allows an attacker to compromise the root account. By using a specially crafted program, the attacker can gain root privileges on the system.
It is possible to cause a denial of service (remote and local) through generating old, obscure kernel messages (not terminated with ) in klogd. The problem exists because of a buffer overflow in the klogd handling of kernel messages. It is possible to gain local root access through stuffing shellcode into printk() messages which contain user-controllable variables (eg, filenames). What makes this problem strange, however, is that it was fixed two years ago. Two of the most mainstream linux distributions (Slackware Linux and RedHat Linux), up until recently, are known to have been shipping with the very old vulnerable version. Fixes and updates were released promptly. There is no data on other distributions.
A buffer overflow vulnerability can occur in lchangelv under some versions of AIX. An attacker must already have the GID or EGID of 'system' to execute lchangelv. Because lchangelv is SUID root, this overflow will grant the attacker root privileges.
This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for attacks against Korean based organizations. Specifically, this issue occurs when indexing an array using an arbitrary value, memory can be referenced and later executed. Taking advantage of this issue does not rely on heap spraying as the vulnerability can also be used for information leakage. Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and is very reliable.
This exploit allows an attacker to execute arbitrary code on a vulnerable Sysax <= 5.62 Admin Interface. The vulnerability occurs due to a buffer overflow in the login function. By sending a specially crafted GET request, an attacker can overwrite the return address and gain control of the program execution flow. The exploit payload is a shellcode that creates a bind shell on port 4444.
Certain versions of AIX ship with an Information Daemon, infod. This program is designed to provide information about the OS and installed ancilliary programs. The daemon which runs as root, does not check credentials which are passed to it. This allows users to pass requests with arbitrary UID's. If a user passes infod a request as root, they can goto the default options menu and change the printer command line to an alternate binary such as /bin/sh that gives privileges to the account the session was spawned under.
Services By CQR