WebLogic Server and WebLogic Express contain a vulnerability that allows an attacker to view the source code of any file on the server. This is done by sending an HTTP request that includes "/file/" in the URL. The server then calls upon the default servlet, which causes the page to display the source code in the web browser.
Password changes submitted to Red Hat Piranha via HTTP are insecurely passed as variables in a GET request. Unauthorized users could obtain the password by reading the httpd access log or by sniffing.
This is an old buffer overflow in suidperl, which gives euid=0 on BSDi/3.0. The exploit contains a 14-character shellcode, a general offset of -5000, and a 4-character NUL-terminator. The exploit sets the environment variable EXEC to the shellcode, and then executes suidperl with the return address as an argument.
This exploit is based on samba-2.2.8a and is used to mount the C$ share folder of the target machine to bin/backrush/mnt/C$. It affects Windows 2000 (SP0 SP1 SP2 SP3) and Windows XP (SP0 SP1). It is provided for educational purposes only as a proof of concept.
This exploit is mainly a proof of concept of the recently discovered ntdll.dll bug (which may be exploited in many other programs, not necessarily IIS). Practical exploitation is not as easy as expected due to difficult RET guessing mixed with possible IIS crashes (which makes RET brute forcing a tedious work). The shellcode included here will bind a cmd.exe shell to a given port at the victim machine so it could be problematic if that machine is protected behind a firewall.
A buffer overflow exists in the version of Mattel's Cyber Patrol software integrated in to Network Associates Gauntlet firewall, versions 4.1, 4.2, 5.0 and 5.5. Due to the manner in which Cyber Patrol was integrated, a vulnerability was introduced which could allow a remote attacker to gain root access on the firewall, or execute arbitrary commands on the firewall. By default, Cyber Patrol is installed on Gauntlet installations, and runs for 30 days. After that period, it is disabled. During this 30 day period, the firewall is susceptible to attack,. Due to the filtering software being externally accessible, users not on the internal network may also be able to exploit the vulnerability. Some versions of SGI IRIX shipped with the Gauntlet Firewall package, and in the past it was a supported SGI product. While it is no longer being supported, SGI IRIX versions 6.5.2, 6.5.3, 6.5.4 and 6.5.5 may be prone to this issue.
Several buffer overflow vulnerabilities exist in Kerberos 5 implementations due to buffer overflows in the Kerberos 4 compatibility code. These include MIT Kerberos 5 releases 1.0.x, 1.1 and 1.1.1, MIT Kerberos 4 patch level 10 (and, most likely, prior releases), and Cygnus KerbNet and Network Security (CNS). The main source of problems is due to a buffer overflow in the krb_rd_req() library function. This function is used by every application that supports Kerberos 4 authentication, including, but not limited to, kshrd, klogin, telnetd, ftpd, rkinitd, v4rcp and kpopd. Therefore, it is possible for a remote attacker to exploit this vulnerability and gain root access on affected machines, or obtain root level access once local. In addition, there are other buffer overruns present in the ksu and krshd sources from MIT. These problems will be remedied in the same release from MIT that fixes the krrb_rd_req() vulnerability.
A buffer overrun exists in the 'netpr' program, part of the SUNWpcu (LP) package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7, on both Sparc and x86 have been confirmed as being vulnerable. The overflow is present in the -p option, normally used to specify a printer. By specifying a long buffer containing machine executable code, it is possible to execute arbitrary commands as root. On Sparc, the exploits provided will spawn a root shell, whereas on x86 it will create a setuid root shell in /tmp.
This exploit is a buffer overflow vulnerability in HP-UX pppd. It allows an attacker to execute arbitrary code on the vulnerable system by overflowing the buffer with a malicious payload. The exploit uses a weirdo nop instruction and a shellcode to execute the malicious payload.
A default username and password has been discovered in the Piranha virtual server and load balancing package from RedHat. Version 0.4.12 of the piranha-gui program contains a default account, piranha, with the password 'q' (no quotes). Using this username and password, in conjunction with flaws in the passwd.php3 script (also part of piranha) will allow remote users to execute arbitrary commands on the machine. Execute the following url, using the above information to authenticate: http://victim.example.com/piranha/secure/passwd.php3. Next, execute the following: http://victim.example.com/piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT. This will touch a file in /tmp named r00ted. More complex attacks are certainly possible.
Services By CQR