This archive contains all of the 196 exploits added to Packet Storm in March, 2016.
d093079b55b06f839563e299e2afaca202893967c70cd3b239df4d2fda022fba
The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crashes are triggering in multiple different ways (two examples attached).
334ccb9b33707106918a652ebdbd6d7df094cb52fd14eb8f7403eeb469b3b0e0
The included proof of concept crashes Windows 7 with special pool enabled on win32k.sys. The crash is due to accessing memory past the end of a buffer.
d1cb75bbdfdf9855ca5d70385b89f109e579981fd6cb4edadbfa504aac5e36b2
There is a use-after-free in URLStream.readObject in Adobe Flash. If the object read is a registered class, the constructor will get invoked to create the object. If the constructor calls URLStream.close, the URLStream will get freed, and then the deserialization function will continue to write to it.
ff1259c633764b7a4794d5334683a4bcf01d89145f1bfec987f03e966c7618a2
There is a use-after-free in the TextField.maxChars setter in Adobe Flash. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used.
7a1e6f0aefd065fa5598d8e14351aaea609229d3aa442245f79ee5456d6b33c4
The included proof of concept causes a crash in ih264d_process_intra_mb in avc parsing, likely due to incorrect bounds checking in one of the memcpy or memset calls in the method.
59a02eb3367da1b1cbaf20e9656c62e0fd3ded3ac84bdcccdb5cbdcde3f810f7
If Color.setTransform in Adobe Flash is set to a transform that deletes the field it is called on, a use-after-free occurs.
737d1b4bab2ed50a128829549d0ea0aa7f0ecba5a9bab13ad24a45666ea8d406
A crash was identified due to a heap-based out-of-bounds read in dissect_pktc_rekey in an ASAN build of Wireshark (current git master).
93a4808c441dbf02e3bcec2b1fdffc008dfac829b696e947e5d12a260c6205ca
Python 2.7 iOS application version 1.5.4 suffers from a filter bypass issue that allows malicious script code to get inserted client-side.
a161f8220be483fe7a2af4cd5063c1b5f1b13d3060bdaf67a7d68bc4f2da5401
TrendMicro's SSO suffers from a redirection and session theft vulnerability.
ac729a0d170ca203d8814d0ff62db8f0910eb3bad1e9b83558ea18573e4116d8
Dorsa Web CMS from 2016 Q1 suffers from a remote SQL injection vulnerability.
c5c460a5f06a7786f694a9a63c726dfb56f13f0ed4ebbf7e22cbd3eef3b45879
Cades 2016Q1 suffers from a remote SQL injection vulnerability.
78d7523cb708ba1446641be2eb80c8533e481b323449e80fb631f44a67da4c67
Docker UI version 0.10.0 suffers from a persistent cross site scripting vulnerability.
85ee6b9462b541484f64eee8f2b169fab832b665c6ae3f15bf79b69a02654902
Docker UI version 0.10.0 suffers from multiple client-side cross site request forgery vulnerabilities.
b4d7324519ddf8297c64165148914552a35bffa722466cd2b47aa7ead6d27d90
Hi Technology and Services CMS suffers from a remote SQL injection vulnerability.
66da3d2b5f4c877057dea583169ceddc3bfe66aa44165d7e21cf044f8ba22bc3
Patron Info System suffers from a remote SQL injection vulnerability.
76ff19fbd099b36ee2e379f795c4e402443be656f01e2d1d40744485debd52eb
PHP version 5.5.33 suffers from an invalid memory write condition in phar on filename with \0 in the name.
43a4d61e916b58b06008a308be6ad7855caf740234f5025fedc517eb22381d33
Axil CMS version 0.1 suffers from a remote SQL injection vulnerability that allows for login bypass.
a72259e5a0cc0fc7e03db97358db172b5f910222cde66c42f2396e56eb331e76
Axil CMS version 3.0 suffers from a cross site scripting vulnerability.
28dfa34c5386042c24410347c2d8aaacb98e1900a84886175e524c05fd4214b7
This Metasploit module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file upload clobbered the web interface beyond repair. No workaround has been found yet. Use this module at your own risk. No check will be implemented.
f98ee50658aec27fea6e1325e83c5d9c0afefcbe8bf5d2b5dab9fa93e03887b6
Included in this archive is a whitepaper called Metaphor - A (real) real-life Stagefright exploit. It presents a thorough research on libstagefright and new techniques used to bypass ASLR. This archive also includes the Metaphor exploit that leverages CVE-2015-3864.
f07eb4b93d0c5ed4ac3acfdd080168b0c0f2917e15949d5acd7bb6a2f38b1ff7
Apple Quicktime versions prior to 7.7.79.80.95 suffer from .fpx and .psd file parsing memory corruption vulnerabilities. Multiple proof of concepts included.
75dc3f56f008a8dff11a4e6782315336b04b08630b92550374fb4ef2d5ccb3a4
The application interface MOBOTIX VMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
77cbabac557201e3332a96765390bee02b5dc304912c8cf70fa98cb20b8c8fa3
Apache OpenMeetings versions 1.9.x through 3.1.0 suffer from a path traversal vulnerability.
06155ed4077ed8cf25d3a08079ba858161b87ca4e65b378d5564e026638cbca2
CubeCart version 6.0.10 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.
3dca54cdd3a351d32b94d67ca282145aea98405b953947e783751533ae0c5b89