This exploit happens when parsing and overly long get request. We can gain control of the $eip register the next 4bytes of our user supplied data is copied into $esp register. The 3 buffer overflows found in xbmc have nothing in common they are 3 separate overflow. We are able to overwrite the exception handlers also so creating a reliable exploit for vista and xps3 shouldn't be to hard have a look there are some modules loaded with out /safe seh.
XBMC is an award winning media center application for Linux, Mac OS X, Windows and XBox. A buffer overflow vulnerability was discovered in XBMC 8.10 Atlantis, which was tested on Windows xpsp3 and Linux unbuntu 8.10. The vulnerability was discovered by n00b and the PoC code was written on Linux using gcc-4.* to compile. The exploit requires filtering of bad chars from shellcode.
DeepBurner 1.9.0.228 is vulnerable to a stack buffer overflow vulnerability due to a lack of proper bounds checking which can be exploited to overwrite the SEH chain and execute arbitrary code. The vulnerability exists in the 'burner.c' file, where a user-supplied argument is copied into a 1024-byte buffer without proper bounds checking. An attacker can exploit this vulnerability by supplying a long argument to the program, which will overwrite the SEH chain and execute arbitrary code.
Several vulnerabilities have been discovered in Sun Java System Calendar Express web server. First, an attacker can crash the web server creating a Denial of Service condition by simply requesting certain URL twice. Second, several Cross-site scripting vulnerabilities were found in the following files/urls: 'https://<server>:3443/login.wcap' and 'https://<server>:3443/command.shtml'. Cross-site scripting (XSS) vulnerabilities allow an attacker to execute arbitrary scripting code in the context of the user browser (in the vulnerable application's domain). For example, an attacker could exploit an XSS vulnerability to steal user cookies (and then impersonate the legitimate user) or fake a page requesting information to the user (i.e. credentials). This vulnerability occurs when user-supplied data is displayed without encoding.
PrecisionID have activeX control DMATRIXLib.Datamatrix that can be used to overwrite any any file in target system. This control contains two methods SaveBarCode() SaveEnhWMF() that can be used to owervrite any file on OS.
A SQL injection vulnerability exists in vsp stats processor, due to improper sanitization of user-supplied input in the 'gameID' parameter of the 'gamestat.php' script. An attacker can exploit this vulnerability to gain access to the underlying database, and execute arbitrary SQL queries.
A remote SQL injection vulnerability exists in PHPRecipeBook 2.39. An attacker can exploit this vulnerability to inject malicious SQL queries into the application, allowing them to gain access to sensitive information stored in the database. The vulnerability is due to insufficient sanitization of user-supplied input to the 'course_id' parameter of the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable application. Successful exploitation of this vulnerability can result in unauthorized access to sensitive information stored in the database.
A vulnerability in JobHut version 1.2 allows an attacker to remotely change the password and email of a user. The exploit can be accessed through the manageUser.php page in the administration folder.
This bug allows a guest to include local files. This tecnique can be used to exec remote commands on the vulnerable system using Apache logs.
VirtueMart Joomla eCommerce Edition is affected by two vulnerabilities, a Remote Shell Command Execution vulnerability in shop.pdf_output.php and a Remote File Inclusion vulnerability in show_image_in_imgtag.php. The Remote Shell Command Execution vulnerability allows an attacker to execute remote shell commands on the target server, while the Remote File Inclusion vulnerability allows an attacker to include remote files on the target server.
Services By CQR