This exploit is a buffer overflow exploit for Windows 7/10 Home x86/x86_x64. It uses a malicious payload to overwrite the return address of a vulnerable function, allowing the attacker to execute arbitrary code. The payload is encoded with bad characters to avoid detection. The exploit also uses a ROP chain to bypass DEP and ASLR.
AXIS Network Cameras (various models/firmwares) are prone to Authenticated remote command execution vulnerability. Exploiting this vulnerability a remote attacker can force the execution of certain unauthorized actions, which may lead to further attacks. An attacker can use the app parameter that waits for the name of a legitimate application to inject commands in the operating system using "%3B", for example, to read the contents of /etc/passwd.
Centreon Web Interface <= 2.5.3 utilizes an ECHO for logging SQL errors. This functionality can be abused for arbitrary code execution, and can be triggered via the login screen prior to authentication.
WordPress PayPal Pro plugin before 1.1.65 is susceptible to SQL injection via the 'query' parameter which allows for any unauthenticated user to perform SQL queries with the results output to a web page in JSON format.
The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote command execution vulnerability. The vulnerability exist due to several POST parameters in the '/html/SetSmarcardSettings.php' script not being sanitized when using the exec() PHP function while updating the Smart Card Settings on the affected device. Calling the '$CommandForExe' variable which is set to call the '/cgi-bin/setsmartcard' CGI binary with the affected parameters as arguments allows the attacker to execute arbitrary system commands as the root user and bypass the biometric access control in place.
A vulnerability exists within the fileinfo.php file of the package, which allows parts of any world readable file to be read by a remote attacker. Attacks can include gathering sensitive information, .bash_history, .rhosts, /etc/passwd and so on.
This module exploits a remote command execution vulnerability in the Barracuda Web App Firewall Firmware Version <= 8.0.1.007 and Load Balancer Firmware <= v5.4.0.004 by exploiting a two vulnerabilities in the web administration interface. The first bug leverages a Arbitrary File Upload vulnerability to create a malicious file containing shell commands before using a second bug meant to clean up left-over core files on the device to execute them. By sending a specially crafted requests it's possible to inject system commands while escalating to root do to relaxed sudo configurations on the applianaces.
The Bellini.SUPERCOOK Kitchen Master is much more than a multifunctional kitchen machine. It has 13 functions so not only saves a huge amount of time, it also incorporates the Yumi control module and its own recipe collection, making it incredibly easy to use. Weak Username/Password for 'root' account, Information disclosure, unauthenticated, Remote arbitrary code execution.
The web interface uses cookies, but is not verified. Thus, if admin login is successful, the IP address and the browser type of the admin user are stored and everybody can access the management interface with the same IP and the same user-agent. Some information requests can be performed without authentication. For example an attacker can obtain the following information pieces: Global settings (SW version, vendor name, etc.), CSRF token, Event log, LAN user table, Ping response. Factory reset can be initiated without authentication with a simple POST request to the getter.xml. Some settings modification can be performed without authentication, for example the first install flag and the ping command. The ping diagnostic function is vulnerable to system command injection, because parameters are checked only at the client side. Using the following ping target, the attacker can gain local root access to the device: “token=<csrf_token>&fun=126&Type=0&Target_IP=127.0.0.1&Ping_Size=64;nc -l -p 1337 -e /bin/sh;&Num_Ping=3&Ping_Interval=1”
The web interface uses insecure cookies, which can be brute-forced easily (e.g cookie: userid=0). If admin login is successful, the IP address of the admin user is stored and everybody can access the management interface with the same IP. The web interface is not used any CSRF protection. In case of a valid session exists, the attacker can modify any settings of the router. If the default admin password was not changed, the attacker can perform a login also and modify any settings after it. The ping diagnostic function is vulnerable to system command injection, because the parameters are checked only at the client side. Using the following ping target, the attacker can gain local root access to the device: “google.com;nc -l -p 1337 -e /bin/sh;echo”.
Services By CQR