A buffer overflow was found after constructing a .wav payload over 4000 characters and attempting to convert the payload to a .mp3 file. A jump to shellcode was used, followed by a pop pop retn. The shellcode used was a MessageBox shellcode from exploit-db.com.
The username field in the captive portal of Cyberoam NG firewall is vulnerable to SQL Injection and can be exploited to execute sql commands on the database. The username field is vulnerable to the following types of SQL Injections: a) Boolean-based blind sql injection b) Stacked queries.
Viber is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service condition, denying service to legitimate users. This issue is due to the application's failure to properly handle non-printable characters. An attacker can exploit this issue by sending a specially crafted message to the affected application. This issue affects Viber 4.2.0 on IOS 7.1.2.
This PoC will create a dummy file in the /tmp folder and will copy /etc/passwd to /tmp. To modify the attack payload, modify the code below. Setup: Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0. Attacker puts the contents of this PoC file into the file: /tmp/attack.php. Attacker visits the Ganglia Web Frontend interface with version < 3.5.1 as: http://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY. Confirm that the PoC created a dummy file in the /tmp folder and copied /etc/passwd to /tmp.
Edimax PS-1206MF is vulnerable to authentication bypass. By sending a POST request to .cgi, an attacker can change specific settings or even reset the admin password without knowing the current password. By default, it is necessary to know the current password in order to change it, but when the request is missing POST anewpass & confpass parameters, the admin password will be set to null.
Cross-site scripting vulnerability in user preferences allows remote unauthenticated users to inject arbitrary web script by injecting code via GET or POST 'pagename' parameter.
Using the default username and password (admin/admin), it is possible to obtain all credentials used for SMB file transfer. To obtain the file access http://<printer url>/smb_serverList.csv. The UserName and Password fields are in plain text.
File inclusion vulnerability in pluck/admin.php in the in 'action' function allows to include local files or potentially execute arbitrary PHP code.
freeSSHd doesn't correctly handle channel shell request, when the 'shell' length malformed can lead crashing
Every registered users who have access of upload functionality can upload an Arbitrary File Upload To perform Command Execution. The vulnerable URL is http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/ and the vulnerable parameter is 'filename'. To exploit this vulnerability, a user must login as a regular user with access to upload functionality, go to the vulnerable URL, select the upload an file option to upload an arbitrary file (e.g. 'hello.php'), and then access the file at http://targetsite.com/wolfcms/public/hello.php.
Services By CQR