This exploit leverages three vulnerabilities to get root, all of which were discovered by Nelson Elhage: CVE-2010-4258, CVE-2010-3849 and CVE-2010-3850. CVE-2010-4258 is the interesting one, and the reason for this exploit. It allows a user to write a NULL word to an arbitrary kernel address if a thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag and the kernel performs an address limit override via set_fs(KERNEL_DS). CVE-2010-3849 is a NULL pointer dereference in the Econet protocol, which is reachable via sock_no_sendpage(). CVE-2010-3850 is a missing capabilities check which allows users to assign Econet addresses to arbitrary interfaces. This exploit was specifically designed to be limited, as the particular symbols it resolves are not exported on Slackware or Debian, Red Hat does not support Econet by default and CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and Debian.
Register on the site, rename the shell to .asp.jpg, go to http://site/forum/register.asp?fpn=2, browse and upload the shell, and view the shell address in the text box.
The MODx Revolution CMS suffers from a XSS vulnerability when parsing user input to the 'username' and 'email' parameters via POST method in login.php script at the manager login interface. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
This PoC triggers a NULL Pointer reference on a register operation when the 'AllowScriptAccess' parameter is written to ESI and EAX registers.
AVG Internet Security 2011 Safe Search for IE DoS is a vulnerability that triggers a NULL Pointer Exception upon loading the control. This crash occurs with or without the 'param' section.
An access violation vulnerability exists in Winzip WZFLDVW.OCX when the IconIndex property is accessed. This can be exploited by an attacker to execute arbitrary code by tricking a user into opening a specially crafted file.
An access violation vulnerability exists in Winzip WZFLDVW.OCX when a specially crafted argument is passed to the Text property. This can be exploited to cause a stack-based buffer overflow via a specially crafted argument passed to the Text property.
This is a plain vanilla stack overflow exploit for Viscom VideoEdit Gold ActiveX 8.0. The exploit is a Ctrl+C Ctrl+V, herpderp exploit which uses a shellcode to execute calc.exe. The exploit is relatively low due to object not marked safe for scripting and requires the user to change the default IE settings to let it run.
Video Charge Studio is prone to a buffer overflow when parsing a malicious vsc files 'Filename' value field. An attacker could trick a user into loading a specially crafted vsc file to execute arbitrary code on a users PC without there consent.
A vulnerability exists in the 'includes/controller.php' script that allows for arbitrary local file inclusion due to a null-byte attack.
Services By CQR