Exploit toolkit CVE-2017-0199 is a handy toolkit to exploit CVE-2017-0199 (Microsoft Office RCE). It has two modes: Generate and Serve. Generate mode is used to generate malicious payloads and Serve mode is used to receive the connection from the victim. It supports malicious RTF and PPSX files, malicious HTA and EXE files, obfuscation of payloads, and custom payloads.
pinfo is a viewer for man pages. A local buffer overflow vulnerability exists in pinfo v0.6.9 due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by supplying a large amount of data to the -m argument, resulting in a segmentation fault and potentially allowing the execution of arbitrary code.
This exploit allows an unauthenticated attacker to execute arbitrary code on Tenable Appliance versions prior to 4.5. The attacker can send a maliciously crafted HTTP request to the vulnerable web interface, which will execute a bash shell and open a reverse shell to the attacker's machine.
Virus Chaser 8.0 is vulnerable to a SEH Overflow vulnerability. The vulnerability is caused due to a boundary error when handling user-supplied input, specifically when handling a long string of data. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted string of data to the vulnerable application. This may allow an attacker to execute arbitrary code.
The udev vulnerability resulted from a lack of verification of the netlink message source in udevd. An attacker can specify a malicious REMOVE_CMD and causes the privileged execution of attacker-controlled /tmp/run file.
This module exploits an unauthenticated command injection in Alienvault USM/OSSIM versions 5.3.4 and 5.3.5. The vulnerability lies in an API function that does not check for authentication and then passes user input directly to a system call as root.
Due to the possibility to upload HTML files that can include JavaScript attack vectors, the DMS is vulnerable to persistent cross-site scripting. In the desk4web module, users are able to upload files. For example, a file called 'xssattack.html' with the JavaScript code can be uploaded and when opened by other users, the included JavaScript code can be used to attack other users.
The tested web application component offers no protection against cross-site request forgery (CSRF) attacks. This kind of attack forces end users respectively their web browsers to perform unwanted actions in a web application context in which they are currently authenticated. CSRF attacks specifically target state-changing requests, for example in order to enable or disable a feature, and not data theft, as an attacker usually has no possibility to see the response of the forged request.
It is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 indirectly through the win32k!NtUserPaintMenuBar system call, or more specifically, through the user32!fnINLPUAHDRAWMENUITEM user-mode callback (#107 on Windows 10 1607 32-bit). The callback is invoked under the following stack trace: a75e6a8c 81b63813 nt!memcpy a75e6aec 9b1bb7bc nt!KeUserModeCallback+0x163 a75e6c10 9b14ff79 win32kfull!SfnINLPUAHDRAWMENUITEM+0x178 a75e6c68 9b1501a3 win32kfull!xxxSendMessageToClient+0xa9 a75e6d20 9b15361c win32kfull!xxxSendTransformableMessageTimeout+0x133 a75e6d44 9b114420 win32kfull!xxxSendMessage+0x20 a75e6dec 9b113adc win32kfull!xxxSendMenuDrawItemMessage+0x102 a75e6e48 9b1138f4 win32kfull!xxxDrawMenuItem+0xee a75e6ecc 9b110955 win32kfull!xxxMenuDraw+0x184 a75e6f08 9b11084e win32kfull!xxxPaintMenuBar+0xe1 a75e6f34 819a8987 win32kfull!NtUserPaintMenuBar+0x7e a75e6f34 77d74d50 nt!KiSystemServicePostCall 00f3f08c 7489666a ntdll!KiFastSystemCallRet 00f3f090 733ea6a8 win32u!NtUserPaintMenuBar+0xa 00f3f194 733e7cef uxtheme!CThemeWnd::NcPaint+0x1fc 00f3f1b8 733ef3c0 uxtheme!OnDwpNcActivate+0x3f 00f3f22c 733ede88 uxtheme!_ThemeDefWindowProc+0x800 00f3f240 75d8c2aa uxtheme!ThemeDefWindowProcW+0x18 00f3f298 75d8be4a USER32!DefWindowProcW+0x14a 00f3f2b4 75db53cf USER32!DefWindowProcWorker+0x2a 00f3f2d8 75db8233 USER32!ButtonWndProcW+0x2f 00f3f304 75d8e638 USER32!_InternalCallWinProc+0x2b 00f3f3dc 75d8e3a5 USER32!UserCallWinProcCheckWow+0x218 00f3f438 75da5d6f USER32!DispatchClientMessage+0xb5 00f3f468 77d74c86 USER32!__fnDWORD+0x3f 00f3f498 74894c3a ntdll!KiUserCallbackDispatcher+0x36 00f3f49c 75d9c1a7 win32u!NtUserCreateWindowEx+0xa 00f3f774 75d9ba68 USER32!VerNtUserCreateWindowEx+0x231 00f3f84c 75d9b908 USER32!CreateWindowInternal+0x157 00f3f88c 000d15b7 USER32!CreateWindowExW+0x38
Adobe CC uses weak insecure permissions settings on the "Adobe Photoshop dll & Startup Scripts" directories. This may allow authenticated users to execute arbitrary code in the security context of ANY other users with elevated privileges on the affected system. Issue is the 'C' flag (Change) for 'Authenticated Users' group.
Services By CQR