pwn-isapi.cpp exploits a dangling pointer vulnerabilty in Apache 2.2.14 mod_isapi. Due to the nature of the vulnerability, and exploitation method, DEP should be limited to essential Windows programs and services. At worst, if DEP is enabled for the Apache process, you could cause a constant DoS by looping this (since apache will automatically restart). The exploit code may need to be run multiple times before a shell is spawned (70% success rate - tested on three different systems). Furthermore, the exploit code may require modification to exploit this vulnerability on different platforms. This is due to loaded memory references to the unloaded DLL (they will be different for each ISAPI module). Do not test this code in a VM otherwise the code may fail to send the RESET packet (something to do with VMware gracefully closing the connection, instead of sending a RESET packet) - I didnt want to have to use raw packets on Windows. The shellcode writes 'pwn-isapi' to 'sos.txt' which is created in the current working directory. Most operating systems should be supported by this shellcode.
A SQL injection vulnerability exists in Bild Flirt System V2.0, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the 'index.php' script.
Yahoo Player 1.0 is vulnerable to a local buffer overflow exploit when a specially crafted .m3u/.pls/.ypl file is opened. This exploit uses a short jump and a SEH overwrite to execute arbitrary code. The exploit code is written in Perl and can be used to execute malicious code on the vulnerable system.
BigForum Version 4.5 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to the admin credentials. The exploit requires Magic_quotes to be set to Off. The exploit is written in Perl and requires two parameters, host and path. The exploit sends a malicious request to the profil.php page with the vulnerable parameter id. The response contains the admin credentials in the form of id, username and password.
Flare version 0.6 is vulnerable to a local heap overflow DoS. The vulnerability is triggered when a large string of 'A's is passed as an argument to the program. This causes the program to crash due to a buffer overflow. The registers EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, and EIP are all affected by the overflow. A python script is provided to exploit the vulnerability.
A SQL injection vulnerability exists in the dev4u CMS Personenseiten script. An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable script with a malicious SQL query. This can allow the attacker to gain access to sensitive information such as user credentials.
A Local File Inclusion vulnerability was discovered in phpCOIN 1.2.1. An attacker can exploit this vulnerability by sending a crafted HTTP request containing directory traversal sequences (e.g. '../../../../../../../../../../../../../../../../../../../../etc/passwd%00') to the vulnerable server.
Stack Overflow caused by long malformed string inside XML Tags. Chrome will through up the 'Aw, Snap!' when tested on Windows 7 64bit.
This vulnerability allows an attacker to inject malicious SQL queries into the vulnerable application. The attacker can use the 'linkid' parameter to inject malicious SQL queries and extract sensitive information from the database. The proof of concept is demonstrated by sending a GET request to the '/out.php' page with the 'linkid' parameter set to '50+and+1=1' (true) and '50+and+1=2' (false). The exploit is demonstrated by sending a GET request to the '/out.php' page with the 'linkid' parameter set to '50+and+substring(@@version,1,1)=4' and '50+and+substring(@@version,1,1)=5'.
A vulnerability in the Auktionshaus 3.0.0.1 news.php script can be exploited to perform an SQL injection attack. The vulnerability is caused due to the 'id' parameter not properly sanitized before being used in an SQL query. This can be exploited to inject or manipulate SQL queries in the backend database. An attacker can exploit this vulnerability to gain access to sensitive information from the database, such as usernames and passwords.
Services By CQR