This exploit takes advantage of a vulnerability in the object classid attribute in HTML. By creating a specially crafted object element with a malicious classid, an attacker can trigger arbitrary code execution. In this specific example, the exploit is using VBScript to create a buffer overflow by manipulating the get_EAX and get_EBX variables. The crafted buffer is then passed to the ConnectAsyncEx method of the target object, leading to code execution.
The DIR-601 firmware has a security issue that allows an attacker to exploit command injection in the ping functionality. The attacker needs to be logged in, and can execute the attack either from the wireless LAN or if the management interface is exposed on the Internet. XSRF can also be used to trick the administrator into exploiting the vulnerability.
There are 2 security issues in DIR-615 firmware which allows an attacker using XSRF attack to exploit buffer overflow vulnerabilities in ping and send email functionality.
Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication and HNAP functionality. All of them can be exploited by an unauthenticated attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
Three security issues in DIR-815 firmware allow an unauthenticated attacker to exploit command injection and buffer overflows in authentication and HNAP functionality. The attacker can be on the wireless LAN or WAN if the management interface is exposed to attack directly or using XSRF if not exposed.
This exploit targets the Taltech Tal Bar Code ActiveX Control and causes a buffer overflow, allowing an attacker to execute arbitrary code on the vulnerable machine. The exploit opens the Calculator application as a proof of concept. This exploit was written for educational purposes and the author is not responsible for any damage caused.
Three security issues have been found in the DIR-818W firmware that allow an unauthenticated attacker to exploit command injection and buffer overflows in the authentication and HNAP functionalities. The attacker can be on the wireless LAN or WAN if the management interface is exposed to attack directly or using XSRF if not exposed.
Have come across 4 security issues in DIR-825 firmware which allows an attacker to exploit buffer overflows in authentication, HNAP and Ping functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. The ping functionality based buffer overflow and directory traversal would require an attacker to be on network and use XSRF to exploit buffer overflow whereas would require some sort of authentication as low privileged user atleast to exploit directory traversal.
Remote Denial Of Service (Dos)
The buffer being exploited is too small (25 bytes) to hold the shellcode, so a workaround was needed to send it. The SSH client is hacked to send the local environment variable SHELLCODE as ssh's methodname string. The limitation of 25 bytes is also the reason for the strange '2 byte' retaddr, as it is not enough for complete pointer overwrite. The exploit overwrites the 3rd and 2nd bytes and hopes the shellcode is around.
Services By CQR