This archive contains all of the 129 exploits added to Packet Storm in November, 2013.
cec1606be4b9041989a72da2a2b153b6775eb0d0a409ef48da044631596568a6
This Metasploit module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe component, which allows arbitrary commands. The component is disabled by default, but required when a project uses the SCIL function WORKSTATION_CALL. This Metasploit module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 over Windows XP SP3 and Windows 7 SP1.
0bdf9a94501d5619a20ed028d746c3734042d2dd9d819b70fa7fbb4ef414fa5d
Ametys CMS version 3.5.2 suffers from an XPath injection vulnerability. Input passed via the 'lang' POST parameter in the newsletter plugin is not properly sanitized before being used to construct an XPath query for XML data.
c5dbcda0f10c655d76ff28210efc04294966ced89d00fa641314117ecc195ed1
Kingsoft Office Writer 2012 version 8.1.0.3385 SEH buffer overflow exploit that creates a malicious .wps file that pops calc.exe.
b7d9ad349ded8a5a19c71d80cba93ff175a9354bd4e6012b41c0c8d3a2f14174
WordPress Folo theme suffers from a cross site scripting vulnerability.
6f6a0b653d47d002c0d96429481f77236becff3c3cf8a84c7c394b20619c5ffb
Joomla JMultimedia component remote shell upload exploit.
60512e22d6ce24750d26196501efc9831992d71d5a81d6681e45d2ad7ddfc47f
NewsAktuell PressePortal DE suffers from a remote SQL injection vulnerability.
bf07743459f6adae6679ab26bb30d59946bc54f429b63e764c34268aa9066d59
LiveZilla versions prior to 5.1.1.0 suffer from a cross site scripting vulnerability.
26961d2405183c2ec5a94990f2486b9a6d5a1176105b91b64138da36b9f2ca9c
Pastebin suffers from a CAPTCHA bypass vulnerability.
56392168410383eae1397d73dcb93faad1595c25e457f29f5a49e99776da26ab
This Metasploit module exploits a SQL injection vulnerability in Kimai version 0.9.2.x. The 'db_restore.php' file allows unauthenticated users to execute arbitrary SQL queries. This Metasploit module writes a PHP payload to disk if the following conditions are met: The PHP configuration must have 'display_errors' enabled, Kimai must be configured to use a MySQL database running on localhost; and the MySQL user must have write permission to the Kimai 'temporary' directory.
853a61dfd6df69f1dd037fceb6af76d6aa56c0b508cd161484f30988de0f9da7
Uptime Agent version 5.0.1 suffers from a stack overflow vulnerability. Proof of concept exploit included in this archive.
41b899e65489dca57409b920655c2a7e8ceaa50c5c528ba41a1b386ce5695a6c
This Metasploit module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large value, which ends up being 0, but it still gets pushed as a dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user.
36cbcba744d7659568ae499cb8f62964f839c74b64b5def580d9440a661806da
Chamilo LMS version 1.9.6 suffers from a remote SQL injection vulnerability.
36e173b2be5a99350bc8b86a9eefbb79333880193bd30a896bc223fd6a58374d
Dokeos version 2.2 RC2 suffers from a remote SQL injection vulnerability.
1c90844d11a66c66cf2d6b5c646d4bea3595686b9a756b41e2e610d39e08eff4
Claroline version 1.11.8 suffers from multiple cross site scripting vulnerabilities.
2d1b2ef9c175f2f82b0ed223a879bb779fccc661cedf88f4043404645de074af
BZR Player version 0.97 suffers from a dll hijacking vulnerability in codec_mpeg.dll.
15a8b33568c942e1db866ae3a90ccc3d1f553b3b875e59a46f77502d0a9ae58a
Boilsoft RM to MP3 Converter version 1.72 crash proof of concept denial of service exploit.
0f49a6f2cda59a306a9fdf4ab89c2d80a9f792c644ab06947e0ab7814a6ff02a
Wondershare Player version 1.6.0 suffers from a DLL hijacking vulnerability.
3498e1804f5f026025c6c02ef2ff272d74d84bb446f6b691be47e4ae35dcc0c9
Audacious Player versions 3.4.1 and 3.4.2 denial of service proof of concept crash exploit.
2108629d3923e262d6697e389444978f6e9c5342756dce80acc4e5852cb48f96
WordPress Optinfirex third party plugin suffers from a cross site scripting vulnerability. Note that this advisory has site-specific information.
406b64a71217b4d7101b4e75837a87536ec5f4df1b52cca998fe666d372c6537
WordPress Amerisale-Re third party plugin suffers from a cross site scripting vulnerability. Note that this advisory has site-specific information.
dd9af24538474b4be70e9304d308e609bd382701c86aaeaaa6dd00cff815eadd
Palo Alto Networks PanOS versions 5.0.l8 and below suffer from cross site request forgery and cross site scripting vulnerabilities.
0128c8519b469367add23f825da0f04e65d811cb5874370e064fdbed3fe6a5fc
This Metasploit module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This Metasploit module achieves code execution by using VBScript as discovered in the wild on November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt one of the legit OBJECT elements with the described integer overflow and (5) achieve code execution by forcing the use of the corrupted OBJECT.
58f2175e1ed88e1751853e1d2aa79f7740fb2c4be64b98ebf51299e06cc219c0
This Metasploit module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This Metasploit module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1 on both x32 and x64 architectures.
3905f49c6a63195a8b150b72b89466bf89d932607328806dbfade7ebf03e25ce
This Metasploit module exploits an OGNL injection vulnerability in Apache Roller < 5.0.2. The vulnerability is due to an OGNL injection on the UIAction controller because of an insecure usage of the ActionSupport.getText method. This Metasploit module has been tested successfully on Apache Roller 5.0.1 on Ubuntu 10.04.
f01bd114b927e26a90df13f09d56f596bd7f9e60085c40975d0c9cb27ffe8c08