This archive contains all of the 164 exploits added to Packet Storm in July, 2013.
0a0985c7d5fdcaabbf25a53953410fd592cdcbfc6dacbbb8c55ddb3e55a12e42
Core Security Technologies Advisory - TP-Link TL-SC3171 IP Cameras suffer from OS command injection, use of hard-coded credentials, authentication bypass, and missing authentication vulnerabilities.
65c946f42cda6e7f2e468690ba32b2210dbcd121ef351a42cfd3246f433128d2
The Better Security Wordpress Plugin suffers from a stored cross site scripting vulnerability, which can be exploited by a remote unauthenticated attacker to steal cookies or gain privileged access to the affected site. Bit51 Better WP Security Plugin versions 3.4.8, 3.4.9, 3.4.10, 3.5.2, and 3.5.3 are affected.
851d1befb1d83e0151c831c6884961f17e3e980ac4ed6716207a81c4fd790e09
Oracle Hyperion 11 suffers from a directory traversal vulnerability. Versions 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, and 11.1.2.2.305 and earlier are affected.
a63ebab32dfca1c676f5478d4507e5cb9958e376a21f14bd4a427db0035dea98
A remote attacker can crash EchoVNC Viewer by sending a malformed request. The crash occurs when EchoVNC Viewer allocate a buffer from heap with the size specified by the malicious server.
0f95b5873df085c2956dfc5fe0afe9b4e60c00984cd0b00e317b429c8132c007
MojoPortal version 2.3.9.7 suffers from a stored cross site scripting vulnerability.
8b314a7ebb6349066cbe66d2384dfefcf3dad366bbf130131f2c132e81a0edba
Bigace CMS version 2.7.8 suffers from a cross site request forgery vulnerability.
334578e319255af19b9ffd7d30e813d5f2ccfc342588bfb110915cb965de5cd3
This Metasploit module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the test_li_connection.php component, due to the insecure usage of the system() php function. This Metasploit module has been tested successfully on PineApp Mail-SeCure 3.70.
f986755f0d0b80f4f24f3b0cebb979f77db7ba99a7a250f60cf38a00b1bfde1c
This Metasploit module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the ldapsyncnow.php component, due to the insecure usage of the shell_exec() php function. This Metasploit module has been tested successfully on PineApp Mail-SeCure 3.70.
6d5046291504d28d39d79d096fba6a69e382c338c97f38b517a66277e740b9dd
This Metasploit module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the livelog.html component, due to the insecure usage of the shell_exec() php function. This Metasploit module has been tested successfully on PineApp Mail-SeCure 3.70.
51fca1c0fcae3623e2c9c69f04d8e43a10745b7c2cfa4634796a3d1d61a9cf15
The Windows kernel does not properly isolate broadcast messages from low integrity applications from medium or high integrity applications. This allows commands to be broadcasted to an open medium or high integrity command prompts allowing escalation of privileges. We can spawn a medium integrity command prompt, after spawning a low integrity command prompt, by using the Win+Shift+# combination to specify the position of the command prompt on the taskbar. We can then broadcast our command and hope that the user is away and doesn't corrupt it by interacting with the UI. Broadcast issue affects versions Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, RT. But Spawning a command prompt with the shortcut key does not work in Vista so you will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. The WEB technique will execute a powershell encoded payload from a Web location. The FILE technique will drop an executable to the file system, set it to medium integrity and execute it. The TYPE technique will attempt to execute a powershell encoded payload directly from the command line but it may take some time to complete.
ec4132f8b9ac70f158c3461e225396c2635aeb7d0ad1f9877329265b9fd215b8
FluxBB version 1.5.3 suffers from cross site scripting, cross site request forgery, and URL redirection vulnerabilities.
3d2a429f0d7f7702aac350cfb0a31594ad3302501c55568dfa29c8812f3a4a6e
WebDisk version 3.0.2 PhotoViewer for iOS suffers from a remote command execution vulnerability.
a74a5bd33336150b25147766ce88ce05cc03a56a2927ac49301a7b6d2986f69b
Private Photos version 1.0 for iOS suffers from a persistent script insertion vulnerability.
675393a5ef46624db7acc97471d1f5ccdb744cecce7d6c64116194fd6fc7a6b1
OpenEMM-2013 version 8.10.380.hf13.0.066 suffers from cross site scripting and remote SQL injection vulnerabilities.
14456af2c9a5b9e11fb7313fb343d5a731c447e6b28ffc4391db130a2ff55411
Novell Client 2 SP3 suffers from a privilege escalation vulnerability.
90372d883442b6991b9af375b8d05bbaa5c31c066b8a21018779b94badc3881d
OllyDbg / Immunity debugger crash proof of concept denial of service exploit.
675d2824b19af798e908b299af4c63101ca4f8e7734c1c02006fdc9bf019156e
Galil RIO-47100 with firmware prior to 1.1d suffers from a denial of service vulnerability.
711c8078ac8a79ef82338bae820506b5505483135cfd8c8c037db18a38b4bf56
The ASUS RT-AC66U contains the Broadcom ACSD wireless binary that is vulnerable to multiple buffer overflow attacks. This is a remote root exploit that leverages one of those vulnerabilities.
7be0d23f95cb6278115b744a39cbc800e85bbed42e53df481abed6ccfe4b5bda
Symantec Web Gateway versions 5.1.0.* and below suffer from cross site request forgery, cross site scripting, command injection, and remote SQL injection vulnerabilities.
f5687779117e75bfab54e5c4e26cfc839c5928b756b4cf1652789d76e8d5aadc
Xymon versions prior to 4.3.12 with the xymond_rrd module enabled suffer from a file deletion vulnerability.
05961b9deef0e4629fab271ff5bc660e184d958c0772a463c88ba29fff50ab45
Joomla Googlemaps plugin version 3.2 suffers from cross site scripting and denial of service vulnerabilities.
d2ba9c614111d4d02b0e070dcc14bca5220f56187e1021e317c465c625078204
Alienvault OSSIM versions prior to 4.3.0 suffer from multiple reflective cross site scripting vulnerabilities.
b97b24ad187260fb2d369e36bc782d9527bb13c5629ef33949027b13a42c4a22
This Metasploit module quickly fires up a web server that serves the payload in powershell. The provided command will start powershell and then download and execute the payload. The IEX command can also be extracted to execute directly from powershell. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so is unlikely to trigger AV solutions and will allow to attempt local privilege escalations supplied by meterpreter etc. You could also try your luck with social engineering. Ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.
3df7ddc32fd686c31c096c385be3456948866192543e5796efa9d470ac552386
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. This Metasploit module has been tested successfully on Struts 2.3.15 over Tomcat 7, with Windows 2003 SP2 and Ubuntu 10.04 operating systems.
c240d5878f508b714bf5ceed219b636cd035393594292bf01d990b95dae4b372