Sourcefire User Agent is vulnerable to default insecure file permissions and hardcoded encryption keys. A local attacker can exploit this by gaining access to user readable database file and extracting sensitive information. In combination with hard-coded 3DES keys an attacker is able to decrypt configured Domain Controller accounts which can lead to further attacks.
This exploit targets the iPIX Image Well ActiveX control, specifically the CreateMediaGroup method. The vulnerability allows an attacker to execute arbitrary code by providing specially crafted parameters to the method. The exploit code includes a shellcode that executes the calc.exe program.
This exploit allows a local user to connect to Serv-u with a default login/password for local administration. The user can then create an ftp user with execute rights and execute a raw 'SITE EXEC' command, which will be executed with SYSTEM privileges.
This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use (http://jira.endian.com/browse/UTM-1002). Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug (http://bugs.endian.com/print_bug_page.php?bug_id=3083). Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2. Should function against any version from 1.1 RC5 to
The [ADD URL] feature in VeryPDF HTML Converter v2.0 is vulnerable to an SEH based buffer overflow. This can be exploited by constructing a payload of ASCII characters that contain the payload and pasting it into the textbox. The program's textbox converts ALL pasted data to lowercase, so the Alpha3 tool is used to encode the shellcode into a numerical format to bypass the filter. The exploit also utilizes a null terminated SEH address to gain universal exploitation across all current Windows OSes. The shellcode is placed in the buffer itself since it cannot execute after the buffer (after SEH) due to the null byte cutting off the remaining pieces of the string.
The burnCMS version 0.2 is vulnerable to remote file inclusion. An attacker can exploit this vulnerability by injecting malicious code into the 'root' parameter in various files like 'authuser.php', 'misc.php', 'connect.php', 'mysql.class.php', and 'postgres.class.php'. This allows the attacker to include and execute arbitrary files from remote servers, potentially leading to remote code execution.
A Denial of Service can be achieved by concatenating several large strings together and attempting to write to file.
This is a remote stack overflow vulnerability in IE NCTAudioFile2.AudioFile ActiveX control. The exploit allows an attacker to execute arbitrary code on a target system. The vulnerability was originally reported by Secunia and the PoC was developed by shinnai. The exploit works on Windows XP Pro SP2 with IE7 fully patched.
This is a proof of concept exploit for a buffer overflow vulnerability in the mydns software. It allows an attacker to send a malicious DNS packet to the target server, causing it to crash or potentially execute arbitrary code. This exploit has been tested on mydns-1.1.0.
The vulnerability allows an attacker to inject arbitrary SQL code into the 'idsalon' parameter of the 'forum.php' page, leading to unauthorized access to the database and potentially compromising user information. The exploit retrieves the hashed passwords of all users from the 'esforum_users' table where the 'user_id' is 1.