EKG Gadu is an open source Gadu-Gadu client for UNIX systems. This exploit uses a buffer overflow vulnerability to execute arbitrary code on the target system. The exploit is developed using Exploit Pack v6.01 and tested on Kali Linux 2.0 x86. The vulnerable program is EKG Gadu version 1:1.9~pre+r2855-3+b1. The exploit uses a NOPSLED + SHELLCODE + EIP payload to execute arbitrary code on the target system.
WooCommerce Order Export Import Plugin helps you to easily export and import orders in your store. This attacks allows an attacker to export all order without being authenticated.
A vulnerability exists in BuilderEngine 3.5.0 which allows an unauthenticated attacker to upload arbitrary files to the server. This can be exploited by sending a POST request to /themes/dashboard/assets/plugins/jquery-file-upload/server/php/ with a malicious file in the files[] parameter. The uploaded file can then be accessed via the /files/ directory.
This exploit is for the PHP 5.0.0 tidy_parse_file() vulnerability. The bug was discovered by Yakir Wizman and was tested on Windows XP SP3 English. The exploit uses a 2036 byte long string of 'A's followed by a call to the ESP register at 0x1017c6af. The shellcode used is 144 bytes long and is encoded with x86/shikata_ga_nai. The shellcode is used to execute the calc command.
The $prog_dir-parameter in /anobbs_dev_1.0.1/progs/bbs_auth.php line 7 is vulnerable. An attacker can exploit this vulnerability by inserting malicious code into the $prog_dir parameter, which can be used to execute arbitrary code on the vulnerable system.
This exploit is an additional EXTRABACON module for Cisco ASA version 9.2(3). It does not use the same shellcode as the Equation Group version, but accomplishes the same task of disabling the auth functions in less stages/bytes.
It is able to inject arbitrary data into device memory via 'Lang' cookie, additional data will be stored until modem restart and will be returned with every http response.
Apache Mina 2.0.13 uses the OGNL library in the “IoSessionFinder” class. Its constructor takes into parameter one OGNL expression. When the IOServiceMBean is exposed trough JMX it is possible to abuse the function to execute an arbitrary command on the server.
The servicemanager, when determining whether the sender of a binder transaction is authorized to register a service via SVC_MGR_ADD_SERVICE, looks up the sender's SELinux context using getpidcon(spid), where spid is the value of the sender_pid field in the binder_transaction_data that was received from the binder driver. This is problematic because getpidcon($pid) is only safe to use if the caller either knows that the process originally referenced by $pid can't transition from zombie to dead (normally because it is the parent or ptracer of $pid) or if the caller can validate that the process referenced by $pid can not have spawned before $pid referred to the correct process based on the age of the process that $pid points to after the getpidcon() call. An attacker can, at least theoretically, register arbitrary services that would normally be provided by the system_server if he can execute / cause execution of the right order.
PrivateTunnel Client v2.7.0 is vulnerable to local credentials disclosure after the user is logged out. It seems that PrivateTunnel does store the supplied credentials while the user is logged in and after sign out in a plaintext format in memory process. A potential attacker could reveal the supplied username and password in order to gain access to PrivateTunnel account.
Services By CQR