Input passed to the 'rm' parameter in modules/code/syntax_check.php is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the 'rm' parameter.
This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command, a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report, which results arbitrary code execution under the context of the user. The attack is carried out in three stages. The first stage sends the final payload to IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command so the process can find a valid ID for the Rename command. The last stage then triggers the vulnerability with the Rename command, and uses an egghunter to search for the shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to the small buffer size, which cannot even contain our ROP chain and the final payload.
This exploit makes use of two vulnerabilities: 1) Base64 authentication credentials hard-coded in lcfd.exe 2) Stack-based buffer overflow when parsing HTTP variable values
This exploit performs DEP bypass on WinXP SP3 with 2 different offsets. One offset applies to VMs running on Xen and VMware workstation for Linux. The second offset applies to ESXi and VMware Fusion.
Authentication credentials used by the OpenDrive application are prone to local disclosure attacks due to a weak cryptographic algorithm implementation.
This exploit targets Xitami Web Server 2.5 and utilizes a remote buffer overflow vulnerability. The exploit sends a payload to the target server and checks for a shell on port 1337. Once the shell is established, the attacker gains control of the target system.
The following PoC instructs an HP Data Protector Client to download and install an .exe file. It tries to get the file from a share (pwn2003se.home.it) and if it fails it tries to access the same file via HTTP. To get the PoC working with this payload share a malicious file via HTTP under http://pwn2003se.home.it/Omniback/i386/installservice.exe.exe and you are done. Tweak payload to better suit your needs.
The vulnerability allows an attacker to perform SQL injection attacks through the search.php page in vBulletin 4.0.x to 4.1.2. The attacker can execute arbitrary SQL queries and gain unauthorized access to the database.
It is possible to cause a Denial of Service in Novell's LDAP-SSL daemon due to the system blindly allocating a user-specified amount of memory.
The exploit involves copying a file to a specific location in the Steam directory and then running Steam.exe, causing the program to crash. This results in the synchronization of the user's configuration file with their account. When the user logs in on another computer with the same account, Steam crashes.
Services By CQR