This exploit targets the 3proxy HTTP Proxy version 0.5.3g on Fedora Core 5 and 6. It allows an attacker to gain root access on the target system using a reverse connect-back method. The exploit takes advantage of a buffer overflow vulnerability in the strcpy function and uses simple strings to create a connect-back shell. It requires the attacker to open two ports on their server, one for receiving commands and one for receiving results.
The attached testcase triggers an access violation in Kaspersky Antivirus, leading to remote code execution as NT AUTHORITYSYSTEM. The vulnerability occurs when handling packed PE files, possibly packed using 'Yoda's protector'.
While fuzzing UPX packed files, an arbitrary stack-relative write vulnerability was discovered. This vulnerability can be remotely exploited for remote code execution as NT AUTHORITYSYSTEM.
The crash occurs when loading a function pointer from an attacker-controlled pointer, resulting in a call to an unmapped address. This vulnerability can be exploited for remote, zero-interaction code execution as NT AUTHORITYSYSTEM on any system with Kaspersky Antivirus. The exploit has been tested on Windows, Linux, Mac, and a product using the Kaspersky SDK (ZoneAlarm Pro).
The sendcard.php script is vulnerable to local file inclusion. The vulnerability allows an attacker to include arbitrary local files by manipulating the 'form' parameter in the URL. By appending '%00' to the 'form' parameter value, an attacker can bypass the input validation and include sensitive files, such as '/etc/passwd'. This can lead to unauthorized access to the server's files and potentially sensitive information.
The PoC bug checks reliably with Special Pool enabled on writing to freed memory. A reference to the freed memory is held at offset +0x10 of the THREADINFO object. This memory is referenced in HmgAllocateObjectAttr which is called in multiple locations. The freed memory is a struct inside a Brush Object which is freed in the call NtGdiDeleteObjectApp.
There is a heap overflow in daeElement::setElementName() method, where a fixed size heap-allocated buffer is used to copy the name of an arbitrary element. By setting the name of the element to something larger, the buffer overflows.
The PowerPointViewer.ocx version 3.1.0.3 is vulnerable to multiple methods denial of service. The vulnerable methods are DoOleCommand, FTPDownloadFile, FTPUploadFile, HttpUploadFile, Save, and SaveWebFile.
Input passed to the 'wpPATH' parameter in wordtube-button.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.
Due to improper access restriction the ADH-Web device allows a remote attacker to browse and access arbitrary files from the '/hdd0/logs' directory. It is also possible to gather important information via the 'variable.cgi' script.
Services By CQR