Zero Day Initiative Advisory 10-198 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of an Embedded OpenType file to TrueType format within t2embed.dll. The most likely vector for this to be exploited is via Internet Explorer as an embedded font in an HTML/CSS document. The flaw itself is due to an integer overflow when parsing hdmx records. A record size and record count variable are trusted and operated upon. The resulting value is used in a copy loop that can be manipulated to corrupt memory. This can be abused by an attacker to execute remote code under the context of the user running the browser.
41b2d3623f987f94395fd8d827f83baafafad75741207120b73e6727ed7c352bZero Day Initiative Advisory 10-197 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the function CAttrArray::PrivateFind as defined in mshtml.dll. If a specific property of a stylesheet object is set, the code within mshtml can be forced to free an object which is subsequently accessed later. This can be leveraged by an attacker to execute remote code under the context of the user running the browser.
2387cc74cdd24639c4bfbc6cd8700fa21a5ce57456be968b5d0391c310f06710Zero Day Initiative Advisory 10-196 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Crystal Reports. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JobServer.exe process which listens by default on several TCP ports above 1024. When parsing a GIOP request, the process trusts a user-supplied 32-bit value and allocates a buffer on the heap. The process then proceeds to copy the string following this value from the packet until it finds a NULL byte. By crafting a specifically sized packet a remote attacker can overflow the buffer and gain code execution under the context of the SYSTEM user.
80519d1176f668b97d5351241e10afe4ae48c247f5791653fe0cf549669a5ec0Zero Day Initiative Advisory 10-195 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Crystal Reports. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CMS.exe process which listens by default on several TCP ports above 1024. When parsing a GIOP request, the process trusts a user-supplied 32-bit value and allocates a buffer on the heap. The process then proceeds to copy the string following this value from the packet until it finds a NULL byte. By crafting a specifically sized packet a remote attacker can overflow the buffer and gain code execution under the context of the SYSTEM user.
fa7fbecef96bbb03c86a891c96b6076c63e3bc3e7d58ecdd69da0376b7afdb7dSydbox is a ptrace-based sandbox implementation. It intercepts system calls, checks for allowed filesystem prefixes, and denies them when checks fail. It has basic support for disallowing network connections. It has basic support to sandbox execve calls. It is based in part on catbox and strace.
3d3b1e6deb3121ed662c9c2e28c4c2978af601998bb2a04f48080daf45d82358Collabtive version 0.65 suffers from cross site request forgery and cross site scripting vulnerabilities.
031f92e41c5512da4359c0e8ea7c09681b35088d32ef7b5e2dda89595148b032WikiWebHelp version 0.3.3 suffers from a cross site request forgery vulnerability.
d8eb58fcfe99ffe8c65950fa7b5974a5050aee4f4ced6b692c09c81dc2eca1b3This Metasploit module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client. When processing the response on a PWD command, a stack based buffer overflow occurs. This leads to arbitrary code execution when a structured exception handler gets overwritten.
507a7c5e70085f277792ad74cc751f09fe88331f586a25388882a96cdbebbda9This Metasploit module exploits a buffer overflow in the Seagull FTP client that gets triggered when the ftp clients processes a response to a LIST command. If the response contains an overly long file/folder name, a buffer overflow occurs, overwriting a structured exception handler.
9941cb1e0eab82770705bd52bcc11e247b265de2b6214cf38bf56899f9ca66c6This Metasploit module exploits a buffer overflow in Gekko Manager ftp client, triggered when processing the response received after sending a LIST request. If this response contains a long filename, a buffer overflow occurs, overwriting a structured exception handler.
1e7f04091422e546c4e127b6c53345bff8d018725ad5fe1491c13b5f22f5072dThis Metasploit module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is triggered when the client connects to a FTP server which sends an overly long directory and filename in response to a LIST command. This will cause an access violation, and will eventually overwrite the saved extended instruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/ sniper was needed to make this one work.
864c13b0bca680072f94df1e362ce6bb00e5d2748d610e1cebd0c43a1709a476This Metasploit module exploits a stack buffer overflow in Odin Secure FTP 4.1, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.
8ecb75c11b4c62e6ce7b842e1892561eaa88009d5a9d93ecdf9fc5bde92a10b0This Metasploit module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro version 4.0.73.274 The overflow gets triggered by sending an overly long filename to the client in response to a LIST command. The LIST command gets issued when doing a preview or when you have just created a new sync profile and allow the tool to see the differences. This will overwrite a structured exception handler and trigger an access violation.
78e1f3656a2efea50a4734c1a2d624b7be11f7525cd7f612e7e4f77465473ac0This Metasploit module exploits a buffer overflow in the LeapFTP 3.0.1 client. This issue is triggered when a file with a long name is downloaded/opened.
f8abfdd204f0ed82b2f476dc9dc0ef13d8d0f1fd66773b87636bd55e7ccf5da4This Metasploit module exploits a buffer overflow in the FileWrangler client that is triggered when the client connects to a FTP server and lists the directory contents, containing an overly long directory name.
95851d121dac72f5b67123647939012f5eb8f8288e71b4bf2e3aba8b78359ec8This Metasploit module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.
8b62f6ce5d0c462f21a4d8c332b770f40f0683dc9cebbc9d6a3825b998832d01This Metasploit module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to download a file that has an overly long filename.
12a0acd3b85279ca0f783e238d8bda5078df822aab5d81ee1c2c190dce51d449This Metasploit module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets triggered when the ftp clients tries to process an overly response to a PWD command. This will overwrite the saved EIP and structured exception handler.
f519ce182ff34cf63de5ac4b785653619bb701dd2e8f49ec8d3eeefccfe0e84aThis Metasploit module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record. This exploit does not use javascript.
7126b3b381c830c246515407ec24713960237606057c8a16a5129cdc22151571This Metasploit module can be used to exploit any generic command execution vulnerability for CGI applications on Unix-like platforms. To use this module, specify the CMDURI path, replacing the command itself with XXcmdXX. This Metasploit module is currently limited to forms vulnerable through GET requests with query parameters.
6c2b3fd36348c68b1b7315cd8846caabd0b02376ccf79d5cacc3caa7d16db23aAdaptCMS version 2.0.1 Beta suffers from a remote file inclusion vulnerability.
7a06d9bfcb143c28a7a447419277a922309ac29fda7a7ced24d5ec8c6abb78e6A vulnerability exists in the way Disk Pulse Server version 2.2.34 process a remote client's "GetServerInfo" request. The vulnerability is caused due to a boundary error in libpal.dll when handling network messages and can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 9120.
702797dbe6d5419910ba57e07ca0672c234f8c8fd8f21cb8293adbf04f2202a2
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed