This exploit is a buffer overflow vulnerability in the Tic-Tac application. It allows an attacker to execute arbitrary code by overflowing a buffer with 1500 bytes of data. The exploit was tested on Windows XP SP3.
An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable application. The malicious query can be sent as a parameter in the URL. The vulnerable parameter is ‘cat’. The malicious query is ‘-666/**/union/**/all/**/select/**/666,666,666,concat_ws(0x3a,member_name,member_password,email)kaMtiEz,@@version,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666/**/from/**/members--’. This query will return the member name, password and email of the application.
An error in the kernel-mode driver (bregdrv.sys) when handling input passed through the user-mode dynamic link library (bregdll.dll) can be exploited to read/write/modification registry in kernel mode. An attacker can exploit this issue to read/write/modification registry with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers.
The vulnerability exists in the ‘app’ parameter of the ‘index.php’ file. An attacker can exploit this vulnerability by sending a crafted request to the vulnerable server. The attacker can include a malicious file from the server by using the ‘../’ directory traversal technique. This can lead to the disclosure of sensitive information from the server.
This is a buffer overflow exploit for Deepburner Pro 1.9.0.228 dbr file. It involves overwriting a SEH handler, the offset is at 529 bytes from the beginning of the buffer, nseh is at seh-4 bytes which is overwritten with a jmp instruction, after repositioning the payload in memory (seh->pop/pop/ret | nseh->jmp 9 bytes). An alternative solution is to use ESI which points somewhere in memory that the user controls. The problem is that the ESI address keeps changing. Overwriting the SEH handler address with pop/pop/retn, retn instruction gets EIP to point to the next instruction which is the address that the next SEH handler points to, which will be the address that ESI points to, resulting in code execution. When generating shellcode, make sure to avoid these characters: 0x00 0x3c 0x3e 0x0a 0x0d 0x22 0x2F.
CoreFTP v2.1 b1637 is vulnerable to a buffer overflow in the password field. An attacker can exploit this vulnerability by convincing a user to input a 6000 length string as a password, which will cause a buffer overflow and allow the attacker to execute arbitrary code. This vulnerability was found by mr_me and coded by mr_me and corelanc0d3r. It was tested on Windows XP SP3 and can be used to gain a bind shell.
A vulnerability in Home Of AlegroCart v1.1 allows an attacker to change the administrator password by sending a malicious request to the server. The malicious request contains a form with the username, first name, last name, email, user group, password, and confirm fields. The attacker can set the username, first name, last name, and email fields to 'admin' and the user group to 'Top Administrator'. The attacker can then set the password and confirm fields to the desired password. When the form is submitted, the administrator password is changed to the desired password.
An attacker can upload arbitrary files to the server by exploiting the 'pic.aspx' page. An attacker can also traverse the directory structure of the server by exploiting the 'browse.asp' and 'browseFile.asp' pages.
The last line in the code checks the file's extension to make sure its not a php file. This line of code is vulnerable though. The exploit is to use the URL http://www.a.com/snif.php?download=snif.php%00 to bypass all restrictions and let you download a php file.
Input var cid is vulnerable to SQL Code Injection, allowing an attacker to execute arbitrary SQL queries.
Services By CQR