header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

Cisco Sourcefire User Agent Insecure File Permissions Vulnerability

Sourcefire User Agent is vulnerable to default insecure file permissions and hardcoded encryption keys. A local attacker can exploit this by gaining access to user readable database file and extracting sensitive information. In combination with hard-coded 3DES keys an attacker is able to decrypt configured Domain Controller accounts which can lead to further attacks.

IPIX Image Well ActiveX Buffer Overflow Exploit

This exploit targets the iPIX Image Well ActiveX control, specifically the CreateMediaGroup method. The vulnerability allows an attacker to execute arbitrary code by providing specially crafted parameters to the method. The exploit code includes a shellcode that executes the calc.exe program.

Endian Firewall Proxy Password Change Command Injection

This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use (http://jira.endian.com/browse/UTM-1002). Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug (http://bugs.endian.com/print_bug_page.php?bug_id=3083). Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2. Should function against any version from 1.1 RC5 to

VeryPDF HTML Converter v2.0 SEH/ToLower() Bypass Buffer Overflow

The [ADD URL] feature in VeryPDF HTML Converter v2.0 is vulnerable to an SEH based buffer overflow. This can be exploited by constructing a payload of ASCII characters that contain the payload and pasting it into the textbox. The program's textbox converts ALL pasted data to lowercase, so the Alpha3 tool is used to encode the shellcode into a numerical format to bypass the filter. The exploit also utilizes a null terminated SEH address to gain universal exploitation across all current Windows OSes. The shellcode is placed in the buffer itself since it cannot execute after the buffer (after SEH) due to the null byte cutting off the remaining pieces of the string.

burnCMS <= 0.2 (root) Remote File Include Vulnerabilities

The burnCMS version 0.2 is vulnerable to remote file inclusion. An attacker can exploit this vulnerability by injecting malicious code into the 'root' parameter in various files like 'authuser.php', 'misc.php', 'connect.php', 'mysql.class.php', and 'postgres.class.php'. This allows the attacker to include and execute arbitrary files from remote servers, potentially leading to remote code execution.

IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w

This is a remote stack overflow vulnerability in IE NCTAudioFile2.AudioFile ActiveX control. The exploit allows an attacker to execute arbitrary code on a target system. The vulnerability was originally reported by Secunia and the PoC was developed by shinnai. The exploit works on Windows XP Pro SP2 with IE7 fully patched.

EsForum 3.0 SQL Injection Vulnerability

The vulnerability allows an attacker to inject arbitrary SQL code into the 'idsalon' parameter of the 'forum.php' page, leading to unauthorized access to the database and potentially compromising user information. The exploit retrieves the hashed passwords of all users from the 'esforum_users' table where the 'user_id' is 1.

Recent Exploits: