This Modem's Web Application , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url. The Modems's Application not using any security token to prevent it against CSRF. You can manipulate any userdata. PoC and Exploit to change user password: In the POC the IP address in the POST is the modems IP address.
This particular BOF takes advantage of insecure handling of the english.xml file which the app uses to display various error messages. This script generates two files: a malfored .bmp file that will cause ImageMagick to generate a specific error when opened (LengthAndFilesizeDoNotMatch), as defined in the english.xml file and a modified english.xml file that replaces the original error message with our exploit code.
Exploit written by Rew for 0day linksys unauthenticated remote code execution vulnerability. As exploited by TheMoon worm; Discovered in the wild on Feb 13, 2013 by Johannes Ullrich. Exploit is currently only working over the LAN. The list of vulnerable devices includes E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N, WRT150N.
CA 2E Web Option (r8.1.2) and potentially others, is vulnerable to unauthenticated privilege escalation via a predictable session token. The POST parameter session token W2E_SSNID appears as follows: W2E_SSNID=W90NIxGoSsN1023ZYW2E735182000013CLSpKfgkCJSLKsc600061JKenjKnEJuNX9GoVjCEbqIuKh6kFRvbzYnUxgQtONszJldyAar3LtTSwsmBLpdlPc5iDH4Zf75. However, this token is poorly validated, leading to W2E_SSNID=W90NIxGoSsN1023ZYW2E735182000013 being accepted as a valid session. By incrementing and decrementing the digits at the end of the value given above, it is possible to control the session at the given ID. This token is sent as part of the login page, and as such, can be manipulated by an unauthenticated attacker, giving them access to any valid session. Consequentially, it is possible to access the following page as such: https://app.domain.co.uk/web2edoc/close.htm?SSNID=W90NIxGoSsN1023ZYW2E735182000026 Ending the session specified, which could lead to a denial of service condition.
Multiple remote code execution web vulnerabilities has been discovered in the official sticktos jDisk v2.0.3 iOS mobile web-application. The vulnerability allows remote attackers to execute unauthorized system specific codes or commands to compromise the affected system/service. The vulnerabilities are located in the `New+ Text fiels` and `New+ Folder` value of the `jDisk` mobile web-application. Remote attackers are able to inject own malicious script codes to the vulnerable `New+ Text fiels` and `New+ Folder` value of the `jDisk` mobile web-application.
The Universal Plug and Play (UPNP) implementation used by NetGear accepts an HTTP POST request as a valid XML request, rendering the UPNP service vulnerable to inter-protocol Cross-Site Request Forgery attacks. This can be used to bypass or alter firewall rules.
This is a Proof of Concept code that was created for the sole purpose of assisting system administrators in evaluating whether their applications are vulnerable to this issue or not. The code sends a number of requests to the server with a specially crafted multipart/form-data request, which can cause the server to become unresponsive.
It is possible to copy the complete home folder of another user by leveraging a vulnerability on the Titan FTP Server Web Interface. This is done by using the 'Move' function, and replacing the 'src' parameter value with the '/../<folder name of another user>' value. It is also possible to obtain the complete list of existing users by writing '/../' on the search bar and hitting the 'Go' button. Additionally, it is possible to observe the 'Properties' for an existing user home folder, which also allows for enumeration of existing users on the system. This is done by using the 'Properties' function, and replacing the 'src' parameter value with the '/../<folder name of another user>' value.
It is possible for an authenticated user or guest user (if enabled) to inject arbitrary SQL into the Tableau Server backend database. As a proof of concept the default database user (Zrails) was retrieved using the following payload: http://127.0.0.1/views?modified_after=2013-12-08T23%3A00%3A00.000Z'%20or%20user%20like%20'Zrails
This module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This module has been tested successfully on Windows 7 SP0 and Windows 7 SP1.
Services By CQR