This exploit allows an attacker to gain remote root access on the sfr/ubiquisys femtocell webserver. It takes advantage of a vulnerability in the shttpd and mongoose software versions <= 1.42 and <= 3.0 respectively. By sending a specially crafted PUT request, the attacker can overwrite the program counter (pc) and execute arbitrary code. The exploit includes stack lifting techniques to bypass security measures and achieve the desired outcome.
This exploit bypasses DEP (Data Execution Prevention) in D.R. Software Audio Converter 8.1. The exploit creates a malicious file to execute arbitrary code. The exploit uses Return-Oriented Programming (ROP) to load the library (kernel32.dll) and get the address of the function (GetProcAddress).
This module exploits a integer overflow in TeeChart Pro ActiveX control. When sending an overly large/negative integer value to the AddSeries() property of TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the value and is later directly trusted and called upon. This module has been designed to bypass DEP only under IE8. Multiple versions (including the latest version) are affected by this vulnerability that date back to as far as 2001. The following controls are vulnerable: TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4); TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD); TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E); TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196); TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258). The controls are deployed under several SCADA based systems including: Unitronics OPC server v1.3; BACnet Operator Workstation Version 1.0.76
This exploit bypasses the Data Execution Prevention (DEP) security feature in MP3 CD Converter Professional. It allows an attacker to execute arbitrary shellcode on a vulnerable system.
This exploit targets BisonFTP Server version 3.5 and below. It allows an attacker to execute arbitrary code on the target machine by sending a specially crafted buffer overflow payload. The exploit connects to the target host and sends the payload. The payload consists of 1092 bytes of padding followed by a 368-byte shellcode. The shellcode is responsible for opening a shell on port 4444. The exploit has been tested on Windows XP SP3 Spanish (No DEP), but may work on other versions as well.
This exploit bypasses Data Execution Prevention (DEP) by using the following method: LoadLibraryA("kernel32.dll") + GetProcAddress(%EAX,"VirtualProtect") + VirtualProtect(%ESP,0x400,0x40,0x10007064)
ATutor suffers from SQL injection, cross-site scripting, and path disclosure vulnerabilities. The XSS issue is triggered when input passed via the 'search_friends_HASH' parameter to the '/mods/_standard/social/index_public.php' script is not properly sanitized before being returned to the user. The PD issues can be triggered by the 'ATutorID' cookie variable in various scripts. The SQLi issue can be triggered by the 'p_course', 'name', and 'value' parameters in the '/mods/_standard/social/set_prefs.php' script. These issues can be exploited to execute arbitrary HTML and script code, display the full installation path in an error report, and manipulate SQL queries by injecting arbitrary SQL code.
The Media Library Categories plugin version 1.0.6 for WordPress is vulnerable to SQL injection. An attacker can exploit this vulnerability by injecting malicious SQL code through the 'termid' parameter in the 'sort.php' script. The vulnerability allows an attacker to retrieve sensitive information from the database or modify its contents.
This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3
The Joomla Component com_jdirectory is vulnerable to SQL Injection. An attacker can inject malicious SQL queries through the 'contentid' parameter in the URL, which can lead to unauthorized access or data manipulation in the database.