This module exploits a POST buffer overflow in the Easy File Sharing FTP Server 7.2 software.
This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a terminal command under the context of the web server user which is root. The backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing operating system command. One of the user input is being passed to the service without proper validation. That cause an command injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal command. Thus, you need to configure your own SSH service and set the required parameter during module usage. This module was tested against Symantec Messaging Gateway 10.6.2-7.
The exploit allows an attacker to perform a blind SQL injection attack on the IndexScript website. By manipulating the 'cat_id' parameter in the 'show_cat.php' page, the attacker can extract login credentials from the 'dir_login' table.
There is a type confusion vulnerability in Microsoft Edge. The crash happens inside CAttrArray::PrivateFindInl. Rcx (this) pointer is supposed to point to a CAttrArray but it actually points to a CAttribute. CAttrArray::PrivateFindInl is only going to perform reads and its return value is going to be discarded by the calling function (CAttrArray::SetParsed). However, the actual type confusion happens further down the stack (possibly inside CssParser::RecordProperty) and if CAttrArray::PrivateFindInl returns false (can be controlled by an attacker), then CAttrArray::Set is going to also be called with the wrong type, which might lead to more serious consequences.
The win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients. The proof of concept code fills the kernel stack with a controlled marker byte and then invokes the affected syscall to leak stack bytes to user-mode.
This exploit targets a stack overflow vulnerability in Ipswitch IMail Server 2006. The vulnerability allows an attacker to execute arbitrary code by sending a specially crafted IMAP SEARCH COMMAND. The vulnerable code can be found in the imap4d32.exe file, version 6.8.8.1. The exploit takes advantage of a buffer overflow in the code, causing it to overwrite the return address and execute the attacker's payload.
The nt!NtQueryInformationProcess system call called with the ProcessVmCounters information class discloses portions of uninitialized kernel stack memory to user-mode clients.
It is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetOutlineTextMetricsInternalW system call. Only the first 4 bytes of the source structure on the kernel stack are initialized under normal circumstances, while the other 4 bytes are set to leftover data.
The win32k!NtGdiExtGetObjectW system call in Windows 7-10 allows disclosing portions of uninitialized kernel stack memory to user-mode applications. This is possible due to leftover kernel stack data in the trailing, uninitialized bytes of the LOGFONT structure for some stock fonts, which can be read back using the GetObject() function.
This exploit targets a remote buffer overflow vulnerability in SpyCamLizard v1.230. It bypasses SafeSEH protection.
Services By CQR
