This module exploits a vulnerability found in DATAC Control International RealWinSCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILEpacket via port 910, RealWin will try to create a file (which would be saved toC:Program FilesDATACReal WinRW-versionfilename) by first copying the user-supplied filename with a inline memcpy routine without proper bounds checking, whichresults a stack-based buffer overflow, allowing arbitrary remote code execution.Tested version: 2.0 (Build 6.1.8.10)
This is a local root exploit for DEC Alpha Linux version 3.0 and below. It allows an attacker to gain root privileges on the system.
There are multiple vulnerabilities in Subrion CMS. The first vulnerability allows attackers to bypass authentication and gain access to the admin panel using a specific username and password. The second vulnerability is a persistent XSS vulnerability in the title field of the Poll module and Manage pages. Attackers can inject malicious code into the title field, which will be executed when the page is viewed by other users. Additionally, other products like Auto Classifieds, Articles Script, Real estate script, and Web directory that run on the same CMS are also vulnerable.
This exploit takes advantage of a buffer overflow vulnerability in The KMPlayer version 3.0.0.1440. It specifically bypasses the ASLR protection on Windows 7. The exploit is in the form of a specially crafted .mp3 file that triggers the buffer overflow when opened in the vulnerable software.
Input passed to the 'rm' parameter in modules/code/syntax_check.php is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the 'rm' parameter.
This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command, a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report, which results arbitrary code execution under the context of the user. The attack is carried out in three stages. The first stage sends the final payload to IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command so the process can find a valid ID for the Rename command. The last stage then triggers the vulnerability with the Rename command, and uses an egghunter to search for the shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to the small buffer size, which cannot even contain our ROP chain and the final payload.
This exploit makes use of two vulnerabilities: 1) Base64 authentication credentials hard-coded in lcfd.exe 2) Stack-based buffer overflow when parsing HTTP variable values
This exploit performs DEP bypass on WinXP SP3 with 2 different offsets. One offset applies to VMs running on Xen and VMware workstation for Linux. The second offset applies to ESXi and VMware Fusion.
Authentication credentials used by the OpenDrive application are prone to local disclosure attacks due to a weak cryptographic algorithm implementation.
This exploit targets Xitami Web Server 2.5 and utilizes a remote buffer overflow vulnerability. The exploit sends a payload to the target server and checks for a shell on port 1337. Once the shell is established, the attacker gains control of the target system.