The hardware service manager allows the registration of HAL services. These services are used by the vendor domain and other core processes, including system_server, surfaceflinger and hwservicemanager. The 'add' binder call allows callers to supply a binder instance to be registered with the hardware service manager. When issued, the call is unpacked by the auto-generated hidl stub, and then passed to 'ServiceManager::add' for processing. The function first checks if the caller is allowed to add the service by calling the 'mAcl.canAdd' function. However, this function has a flaw in that it allows all callers to add services if the 'mAllowAll' flag is set to true.
This exploit allows an attacker to execute arbitrary code on a vulnerable D-Link WAP 615/645/815 device running firmware version 1.03 or lower. The exploit works by sending a specially crafted POST request to the device's service.cgi page, which allows the attacker to execute arbitrary commands on the device.
Follow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50. The payload used is %PRIVATE_DATASOURCE.un:Administrator% and other tables that can be used are UME_STRINGS_PERM, UME_STRINGS_ACTN, BC_DDDBDP, BC_COMPVERS, TC_WDRR_MRO_LUT, TC_WDRR_MRO_FILES, T_CHUNK, T_DOMAIN, T_SESSION, UME_ACL_SUP_PERM, UME_ACL_PERM, UM_STRINGS.
This exploit is a privilege escalation vulnerability in Windows 7 SP1 x86. It uses a shellcode to steal the token of the SYSTEM process and replace the token of the current process with it, thus granting the current process SYSTEM privileges.
This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restart a user-specified database instance (OpCode 10008), however the instance ID is not sanitized, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. This module has been tested successfully on iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN).
This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restore a user-specified database (OpCode 10007), however the database connection username is not sanitized resulting in command injection, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default.
The method Lowerer::LowerSetConcatStrMultiItem is used to generate machine code to concatenate strings. At (a), there's no check for integer overflow. Chakra uses string chains to handle concatenated strings(the ConcatString class). So it doesn't require much memory to trigger the bug. The proof of concept code creates a string of length 0x10000 and then concatenates it with a string of length 0x10000, resulting in an integer overflow.
Whenever a user edits a message with <extarea> inside the body, everything after the <extarea> will be executed in the userβs browser. Works with every version up to 4.0.20
Plugin implements the AJAX action `wpdm-install-addon` which calls the function `wpdm_install_addon`. This function doesn't take any anti-CSRF measures thus making it susceptible to those kind of attacks. What is interesting about this function though, is the fact that it provides plugin installation functionality for admin users. The origin of the package is defined by the `$_REQUEST['addon']` if is set without any validation. A malicious actor can exploit this to install a malicious plugin in the vulnerable site. In fact the install package doesn't need to be a valid plugin, it could just contain malicious code. Because the package is extracted in the `/wp-content/plugins/` dir without changing it's original folder structure, an attacker could leverage the CSRF to upload malicious code and execute the code on the infected server.
Plugin implements AJAX action `admin_menu_tree_page_view_add_page` which calls back the function `admin_menu_tree_page_view_add_page`. The later does not implement any anti-CSRF controls or security checks. Leveraging a CSRF attack an attacker could perform a Persistent XSS attack if the victim has administrative rights (see PoC). The AJAX action is a privileged one so it's only available for registered users. Even so it doesn't implement any capabilities checks so it's available to all users no matter the access level. This could allow any registered user to create arbitrary posts no matter the access level.
Services By CQR