This Metasploit module exploits an authentication bypass in libssh server code where a USERAUTH_SUCCESS message is sent in place of the expected USERAUTH_REQUEST message. libssh versions 0.6.0 through 0.7.5 and 0.8.0 through 0.8.3 are vulnerable. Note that this modules success depends on whether the server code can trigger the correct (shell/exec) callbacks despite only the state machines authenticated state being set. Therefore, you may or may not get a shell if the server requires additional code paths to be followed.
cde91faaf9388b718ce891cfb99941d6d0d6c0ea49e71e81ac203c8bf86be937This is an exploit for a stack buffer overflow in the NVidia Display Driver Service. The service listens on a named pipe (\\pipe\\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability. This is updated by Sean de Regge to target the 30 Aug 2012 nvvsvc.exe build.
824e71b2ccad1dc6738764ed7ad37c509efaedb2901fd0a0583430d31a361995This is an exploit for a stack buffer overflow in the NVidia Display Driver Service. The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability.
a93753892580d6dad44444623d6355d154269fccaba04b2dcab06daf83d116a5NGSSoftware has discovered a low risk vulnerability in Active Directory which can allow an unauthenticated user to cause a denial of service condition on any affected system.
8b913d51a0f479f8ae2e362accd80b6bc07755dabb6524a56dcba5c502ec56beNGSSoftware has discovered a medium risk vulnerability in PGP Desktop versions prior to 9.5.1 which can allow a remote authenticated attacker to execute arbitrary code on a system on which PGP Desktop is installed.
5061c9fe73a58597f1bf1e699331bbcdc95539889e7c38b2915728e608977c3cPeter Winter-Smith of NGSSoftware has discovered a high risk vulnerability in the Microsoft Windows Remote Access Connection Manager (RASMAN) service which (under certain versions of the OS) can allow a remote, anonymous attacker to gain complete control over a vulnerable system.
ce666f7ac90d12808bb6374e61c4e98e95f0a4b83af01d5cda10c9d11a769958Peter Winter-Smith of NGSSoftware has discovered a number of vulnerabilities in L-Soft's LISTSERV list management system. The worst of these carries a critical risk rating.
8fa935e14ccd0ecf29d1f5d3d0a445c092c5f2850e266c78c1b8e99b698370f7NGSSoftware has discovered a high risk vulnerability in the Lexmark Printer Sharing service which could allow a remote, unauthenticated attacker to execute arbitrary code on a Lexmark printer user's computer system with Local System privileges. A workaround is included in the advisory.
17c2a0cb655fbe259348176d404b85e1491d9c102c09b66f0487118c56e74bbcNGSSoftware Insight Security Research Advisory - All versions of Microsoft Windows, with Microsoft Internet Explorer, come packaged with the Microsoft Active Setup/Install Engine components. These components are marked as safe for scripting and can be invoked by default from any basic web-page. The Install Engine control has been found to be vulnerable to an integer overflow, leading to a heap based buffer overflow which could allow an attacker to run arbitrary code on a vulnerable system through a specially crafted web-page or through a specially crafted HTML email if scripting is enabled.
d9a90dc6d979b15bba061d46b49298b04958b6f90ae6a35aadb861dcce281d1eMicrosoft Security Advisory MS04-027 - A remote code execution vulnerability exists in the Microsoft WordPerfect 5.x Converter. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability.
66e855df17de149765d7724cc2f3b2514f160cbf62a98e1bbaa3980790cdec12Secunia Security Advisory - A vulnerability exists in various Microsoft Office products, which can be exploited by malicious people to compromise a user's system. A boundary error within the WordPerfect Converter can be exploited to cause a buffer overflow if a user opens a malicious document. Successful exploitation may allow execution of arbitrary code with the user's privileges.
916bddee1b7e0d79ca2c6dd5d0037e96fb779055d3ed5a09840bdce4b20dff21Microsoft Windows Task Scheduler is vulnerable to a stack-based buffer overflow. The flaw can be exploited by creating a specially-crafted .job file. This will most frequently be a local exploit, but it is possible to imagine some cases where this could be remotely exploited as well.
8a91f17d4a2fd2983c074e04a451428f0f826e5f1059013c4a6a38db1aee67e2NGSSoftware Insight Security Research Advisory #NISR27052004 - It is possible to cause a number of buffer overruns within the WildTangent WTHoster and Web Driver modules via any method that takes a filename as a parameter. Version 4.0 tested and others are possibly affected.
1fd4a6d0da967ff355c42ac21d6118964e275521cf330235468cd3d7fe398cc5NGSSoftware Insight Security Research Advisory #NISR05042004 - Due to a lack of boundary checking within the code responsible for loading Fasttracker 2 (.xm) mod media files by the Winamp media plug-in in_mod.dll, it is possible to make Winamp overwrite arbitrary heap memory and reliably cause an access violation within the ntdll.RtlAllocateHeap() function. When properly exploited this allows an attacker to write any value to a memory location of their choosing. In doing so, the attacker can gain control of Winamp's flow of execution to run arbitrary code. This code will run in the security context of the logged on user.
f19369974724e97b0e10b88bb80392f6506e21880ffcc74b92f2f54c0d616991Palace chat software versions 3.5 and below are susceptible to a stack overflow client-side when accessing hyperlinks.
6b59705371a6f396bf8cd5763612bbfe1c4172c46ed1a2384433e4941833b2fbWeb Crossing versions 4.x and 5.x have a denial of service vulnerability. When an HTTP POST request is made to the built-in server, if the 'Content-Length' header supplied with the request is an extremely large or negative number, the server will encounter a set of instructions which lead to an integer-divide-by-zero problem, immediately crashing the server and denying any further service.
a4cb26465dde1aa7db4e37e9bae87f085ad4ccdeb6c14a77fa125516a33bbbd6ProxyNow! versions 2.75 and below are susceptible to both heap memory corruption and stack-based buffer overflows. Exploitation of these vulnerabilities can lead to a denial of service and/or code execution with SYSTEM privileges. Detailed analysis and exploit included.
befbd5bf13e3b6d7dc791bb61f8d8476b36082b54e5da32d7a8aa177d07afba7RapidCache versions 2.2.6 and below suffer from denial of service and directory traversal bugs.
9e8235a36daf36f0ef225186bf427d9237e751f7245e744d783a418c71e1d0f5The Windows FTP Server is a small free third party ftp server which contains a format string vulnerability in v1.6.1 and below.
2039204c5b39559e9e823c8993dc86c4a3cc6f900672113b8b81cad3cfec257cWebcam Watchdog version 3.63 and below remote exploit that makes use of a stack based buffer overflow in Watchdog's HTTP GET request functionality.
f3ca05278d3188c23c65faba7db68c687aa6c2e8b31ccf73cee194eebe35d3f4Webcam Watchdog version 3.63 and below is vulnerable to a remotely exploitable stack based buffer overflow which can be triggered via an overly long HTTP GET request. Full detailed analysis of the vulnerability is given.
34ec3b6aeb6958e021532b1ec31ba27920f2b0f383ccc1a21f79f4b6fae76fadMessageBoxA Shellcode.
909dad5e4fc6e727d617c894593b75aec4856199ece1f66f6baab8a2831e987bSwitch Off versions 2.3 and below suffer from a denial of service vulnerability and a stack-based buffer overflow in the message parameter of the application that may allow a remote attacker the ability to gain SYSTEM privileges.
59fe50b91ad162027a185b970c6995d4fd92e10ea3fac2df0d668fc177adbe9dNetObserve versions 2.0 and below suffer from a severe security bypass flaw that will enable remote attackers to gain administrative privileges and execute arbitrary code on the server.
b897745bb11eafa79c57bfcf0f9d78141ba4c1217c23b19c7d2570c13e545f58Vampiric Shellcode - Url Download + Execute for Win32. Vampiric shellcode links to system DLL's so create shellcode that works on many different service packs, more information here.
201361e794813ba49cea12713cc3fdc15fb0b13f46867a91505a6cd6886b717d
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed