This exploit is a buffer overflow exploit for glibc locale bug. It is tested on Redhat 6.2, Slackware 7.0 and Debian 2.2. It uses the 'mount' command to execute the shellcode. The user needs to use 'objdump /bin/mount | grep exit' to get the -a address. The exploit uses the 'execl' function to execute the shellcode.
A vulnerability has been reported in the csPassword.cgi script developed by CGIScript.net. It is possible for an authenticated user to add directives and make changes to the generated .htaccess file. Adding the javascript as part of the URL will change the text field into a textbox allowing users to enter newlines and other characters.
Apache Tomcat is a freely available, open source web server maintained by the Apache Foundation. When Apache Tomcat is installed with a default configuration, several example files are also installed. When some of these example files are requested without any input, they will return an error containing the absolute path to the server's web root. The attacker can submit a request in one of the following formats: http://webserver/test/jsp/pageInfo.jsp, http://webserver/test/jsp/pageImport2.jsp, http://webserver/test/jsp/buffer1.jsp, http://webserver/test/jsp/buffer2.jsp, http://webserver/test/jsp/buffer3.jsp, http://webserver/test/jsp/buffer4.jsp, http://webserver/test/jsp/comments.jsp, http://webserver/test/jsp/extends1.jsp, http://webserver/test/jsp/extends2.jsp, http://webserver/test/jsp/pageAutoFlush.jsp, http://webserver/test/jsp/pageDouble.jsp, http://webserver/test/jsp/pageExtends.jsp, http://webserver/test/jsp/pageImport2.jsp, http://webserver/test/jsp/pageInfo.jsp, http://webserver/test/jsp/pageInvalid.jsp, http://webserver/test/jsp/pageIsErrorPage.jsp, http://webserver/test/jsp/pageIsThreadSafe.jsp, http://webserver/test/jsp/pageLanguage.jsp, http://webserver/test/jsp/pageSession.jsp, http://webserver/test/jsp/declaration/IntegerOverflow.jsp
When the CBOS TCP/IP stack is forced to process a high number of unusually large packets, it will consume all memory. This will cause the router to freeze and stop forwarding packets.
It has been reported that it is possible to cause a denial of service in some Cisco routers by sending a large amount of spoofed ICMP redirect messages. To generate random ICMP redirect messages, a sender tool is available at http://www.phenoelit.de/irpas/icmp_redflod.c, which has to be linked with the IRPAS packet library. On high bandwidth networks, the command line switch -w0 can be used to increase the sending rate.
mcNews does not sufficiently filter dot-dot-slash (../) sequences from URL parameters, allowing a remote attacker to disclose the contents of arbitrary web-readable files that exist on a host running the vulnerable software.
Phorum is a PHP based web forums package designed for most UNIX variants, Linux, and Microsoft Windows operating systems. The 'header.php' and 'footer.php' components of Phorum do not santize the client-supplied value of the 'GLOBALS' parameter prior to output. As a result, script commands embedded in these variables will be executed by the client in the context of Phorum. Attackers may exploit this vulnerability to obtain user credentials.
An issue has been reported which could allow for a malicious ftp server to execute arbitrary code on a Matu FTP client. If,upon user connection, a FTP server '220' response is of excessive length, a stack-based overflow condition could occur. This overflow could overwrite stack variables and be used to execute arbitrary code. However, sending random data could cause the application to crash.
Abyss Web Server is a freely available personal web server maintained by Aprelium Technologies and runs on Microsoft Windows operating systems, as well as Linux. It is possible for a remote attacker to disclose the contents of arbitrary web-readable files by making a specially crafted web request containing encoded dot-dot-slash (../) sequences. This issue may be exploited by a remote attacker to gain access to the administrative configuration file for the web server.
A local user can supply a maliciously formatted string with the -co option to Xsun, which can result in the execution of arbitrary code and elevated privileges. This exploit was discovered by gloomy (gloomy@root66.org) & eSDee (esdee@netric.org). The exploit involves writing a shellcode that re-opens the STDIN and then duplicating the STDERR filedescriptor, so the important descriptors are back again.
Services By CQR