httpdx allocates memory with malloc(size+1), where 'size' is actually the value of "Content-Length" HTTP header. All post-data will then be copied into this area using strncpy(x,y,size2), where 'size2' = "request length" - "header length" (and not Content-Length). As httpdx use it own handler function upon crash, this exploit overwrite the first _VECTORED_EXCEPTION_NODE structure with a pointer to our shellcode.
This module exploits a command injection vulnerability found in Symantec Web Gateway's HTTP service. While handling the filename parameter, the Spywall API does not do any filtering before passing it to an exec() call in proxy_file(), thus results in remote code execution under the context of the web server. Please note authentication is NOT needed to gain access.
This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page.
This module exploits a vulnerability in CuteFlow version 2.11.2 or prior. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the 'upload/___1/' directory and then execute it.
This module exploits a stack-based buffer overflow in Photodex ProShow Producer v5.0.3256 in the handling of the plugins load list file. An attacker must send the crafted "load" file to victim, who must store it in the installation directory. The vulnerability will be triggered the next time ProShow is opened. The module has been tested successfully on Windows XP SP3 and Windows 7 SP1.
This exploit allows an attacker to extract valid sessions from the Zabbix 2.0.1 web interface. Through this web interface, an administrator can define new malicious scripts which can then be called from the maps area and executed with 'zabbix' permissions.
Plugin does not properly filter filetypes, which allows for the upload of filetypes in the following format: filename.php.jpg. Vulnerable hosts will serve such files as a php file, allowing for malicious files to be uploaded and executed. In creating the uploads folder for this plugin, the code utilizes uniqid to add a unique string to the upload folder name in order to better hide it from direct access. However, many WordPress installations allow direct access to the /wp-content/uploads/ folder, so simply look for a folder name beginning with 'feu_' to locate your upload.
The original patch for the Symantec Web Gateway 5.0.2 LFI vulnerability removed the /tmp/networkScript file but left the entry in /etc/sudoers, allowing us to simply recreate the file and obtain a root shell using a different LFI vulnerability.
An attacker can exploit a SQL injection vulnerability in SpiceWorks to gain access to sensitive information. The vulnerability exists in the API_v2.json endpoint, which allows an attacker to inject malicious SQL code into the query parameters. An attacker can also exploit a stored XSS vulnerability in SpiceWorks by configuring their snmpd.conf file to contain malicious JavaScript.
An attacker can inject HTML code into the MySQL Squid Access Report 2.1.4 application by finding the path of the Squid's access.log file and inserting '> Example: '>PWNED!' into the URL. This can be done by accessing the URL http://server/mysar/www/?a=administration.
Services By CQR