A heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. There are two different methods used by this exploit, which have been named "writeNcall" and "sprayNbrute". The first, "writeNcall", was published by k'sOSe on Dec 17 2008. It uses pointers 2 and 3, as well as a writeable address. This method is quite reliable. However, it relies on the the operation on pointer 2. Newer versions of SQL server (>= 2000 SP3 at least) use a length value that is 8-byte aligned. This imposes a restriction that the code address that leads to the payload (jmp ecx in this case) must match the regex '.[08].[08].[08].[08]'. Unfortunately, no such addresses were found in memory. For this reason, the second method, "sprayNbrute" is used. First a heap-spray is used to prime memory with lots of copies of the address of our code that leads to the payload (jmp ecx). Next, brute force is used to try to guess a value for pointer 3 that points to the sprayed data. A new method of spraying the heap inside MSSQL is presented. Sadly, it only allows the creation of a bunch of 8000 byte buffers.
132206feb12275d819fe75a51931368d87b85cda3a85d8d40fc77ff46d0342f7
This exploits a stack overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This Metasploit module was tested successfully against version 2.52. NOTE: The AntServer service does not restart, you only get one shot.
dd69ef386f696d716346934cec43c21dfd0dbc94932dacb7f54813b7d02a26ca
Gentoo Linux Security Advisory 201001-3 - Multiple vulnerabilities were found in PHP, the worst of which leading to the remote execution of arbitrary code. Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Versions less than 5.2.12 are affected.
aff1f9bdb3800d54675a65671b47a6ba413ece16b6ab47e89279c16cfaa490a7
Mandriva Linux Security Advisory 2009-220 - A vulnerability was found in xmltok_impl.c (expat) that with specially crafted XML could be exploited and lead to a denial of service attack. Related to CVE-2009-2625. This update fixes this vulnerability. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
67dc6d1212f994353a82a485d288d61d0b7548724d058323fe81e9918f9e3e00
Obsession-Design Image-Gallery (ODIG) suffers from a cross site scripting vulnerability in display.php.
67ebb825b3f2baa0bff6f60efc7d1cd3546e972ec40cb9271a3b660b03f4cbf3
Ofilter Player version 1.1 suffers from a local denial of service vulnerability.
e0ed25bbda9113df70b3136ceb58a4dcd8854632d5650648a4a6a82cc2bcc766
Nemesis Player (NSP) version 2.0 and 1.1 Beta suffer from a local denial of service vulnerability.
34e3203485a0554043b5299f37eae4ab898276e5a4ac823a39381bea40f83fb6
n.player version 1.12.07 suffers from a local heap overflow vulnerability.
79a03c844a6d6d4988244551f56620764782c97d129287738ae058b7ac5d2a2b
SyScan 10 Call For Training - This year, SyScan'10 will be held in the 4 exciting cities of Singapore, Shanghai, Taipei and Ho chi Minh City (Vietnam).
631ff3b3df8293b277413e9c6e9be260f5023dbefaf56df6e7429e234a2aab54
Small write up describing how to do windows account password guessing using the WinScanX tool.
f871d8ad96c9073ef9b788626275cd2d20520b82d1814c4ca508fbc240803fc0
LineWeb suffers from remote SQL injection, cross site scripting, and local file inclusion vulnerabilities.
76148e9d4b6892748e00bc14b68af93863275c16681b231a1da721786bd583a5
YP Portal MS-Pro Surumu version 1.0 suffers from a remote database download vulnerability.
d1e8ddf2b75be24444889283ab1c7c572b338c7862f13ec88d1d96b658897fdb
Secunia Security Advisory - A security issue has been reported in KMSoft Guestbook, which can be exploited by malicious people to disclose sensitive information.
cc7c89a58c7a2766d56163e0e7cc788425bd20e47fce29a6006a502af126a14f
Secunia Security Advisory - alnjm33 has reported a vulnerability in Deviant Art Clone, which can be exploited by malicious users to conduct SQL injection attacks.
d219e6703440d2ecc249137a1b332a965165e1d29db772d2b9e16a957fe5312d
Secunia Security Advisory - Justin C. Klein Keane has discovered some vulnerabilities in Magento, which can be exploited by malicious users to conduct script insertion attacks.
d000089e31124a76fb2fc164ef8b3926faa40882e7c845754300be6193164f68
Secunia Security Advisory - A vulnerability has been reported in Linear eMerge, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).
0a866aaa5f0f73a6849d438165db51b6550aed5be1b1520aaa13c700e3a78ac4
Secunia Security Advisory - A security issue has been reported in CNR Hikaye Portal, which can be exploited by malicious people to disclose sensitive information.
1081a881694912af616c3f89fef334035c82d1a78ecc3635f13baaf5b036ff82
Secunia Security Advisory - A vulnerability has been discovered in LXR Cross Referencer, which can be exploited by malicious people to conduct cross-site scripting attacks.
c84920cf3f3c9f32c2fa704f1024ccf65795d6351606380ffd38475e9eb431cc
Secunia Security Advisory - A vulnerability has been discovered in the Events Manager plugin for WordPress, which can be exploited by malicious people to conduct SQL injection attacks.
ee12f5713c700f30bea938ee5679b775b3974dad2ff0c6fa4affe4683acde7e1
Secunia Security Advisory - A vulnerability has been reported in the TPJobs component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks.
47bc56d1fdf5ab1fc858525768da910424a15d260433cca01367339478de2275
Secunia Security Advisory - A vulnerability has been reported in Webace CMS, which can be exploited by malicious people to conduct SQL injection attacks.
2a73ab840caac38f1d351e6498514050fac5dd9075a1495beb60b569c2e1adb4
Secunia Security Advisory - Some vulnerabilities have been discovered in uF.Phpaw, which can be exploited by malicious people to conduct cross-site scripting attacks.
e7ba9228c295210005e37d2b3ab2bd3c3dadecd31222a2d7520025f47fef0f3b
Secunia Security Advisory - A security issue has been reported in PD Portal, which can be exploited by malicious people to disclose sensitive information.
87a3de795a06be92668c07d1ff5efe46cbcee1fed06db58c0033ea53a3dceddb
Secunia Security Advisory - Some vulnerabilities have been discovered in F5 Data Manager, which can be exploited by malicious users to disclose potentially sensitive information.
8d773e5ac8384bc1f14eb1d0104d9fad47e1ae4d7076d6439617fa00bda4df91
Secunia Security Advisory - A vulnerability has been discovered in Left 4 Dead Stats, which can be exploited by malicious people to conduct SQL injection attacks.
7ccbc8cb08bb35af332e2435048295e39a2de8732210ed3e9f27a163114c67d8