This archive contains all of the 178 exploits added to Packet Storm in September, 2016.
c8e838190d88bd305fdf8e533afb092ad92547760f64b10b06ef8e555a04e646
Ubiquiti UniFi AP AC Lite version 5.2.7 allows for direct modification of the database with no authentication.
f40eba146d3abfc3da878bf10eac9a021530c62f26eb11f3fb7cd42dd34d3ee2
Netgear Genie version 2.4.32 suffers from an unquoted service path elevation of privilege vulnerability.
2056971e0ae31e7938639d6e5878bad3c9fc7563e3f320699fe69f8f53a5d5ff
Sophos UTM versions 9.405-5 and 9.404-5 suffer from information disclosure vulnerabilities.
d41db865905127ac19f3ef1c4274c38fede90b47131595b8392634352dd0efc8
Joomla Huge-IT Portfolio Gallery plugin version 1.0.6 suffers from a remote SQL injection vulnerability.
c736d80fc3abb2b181ac9b8ebf78e33ac2a58f366fa330b5853b34264816675e
Abus Security Cams version 0101a suffer from a cross site scripting vulnerability.
648c480851032ffc3e2a82f73e241748f1cdb7c65fbc13387177b4b51e815d29
KeepNote version 0.7.8 remote command execution exploit.
8bfd902ee6f98b0f54948d1c268ef2b23dc7997141f131f8746da78e239a4fd6
WordPress KBoard plugin versions prior to 4.4 suffer from a cross site scripting vulnerability.
b0fb3e1c2b8f1c0e641f0aa5ff3083546bad3cc404b8b157a455e4163687d85a
WordPress KBoard plugin version 2.7 suffers from a remote SQL injection vulnerability.
0ec3c9361595ffdfaf4d2a9a071fda6cac0360bf0a97484ea409460c56ce7643
Snort version 2.9.7.0-WIN32 suffers from a dll hijacking vulnerability.
99e8267b21959831c715ef5fa474d44025b8ef4dced326af53c493d96ca68d98
Joomla Huge-IT Catalog component version 1.0.7 suffers from a remote SQL injection vulnerability.
ec7c54b92dde7ae79e9dedd8de808f51247be85b0c3eea5eefcd781c3c987514
AnswerScript version 2.7.1 suffers from a cross site scripting vulnerability.
9c6a3496429128b109c27d8c038eb36008a1315ff779be364d9d17791a02999d
Symantec Messaging Gateway versions 10.6.1 and below suffer from a directory traversal vulnerability.
23dad5e838b6046a002fbf6522886e375030f3559a852920266cc22b7246dc03
D-Link DWR-932B suffers from backdoor accounts, default WPS PIN, weak WPS PIN generation, and various other bad security practices and issues.
c6622e059d37bef9eede516a3030b6a743db38a5cd314be7e8c8d9f7cd9c8022
Exponent CMS version 2.3.9 suffers from a cross site scripting vulnerability.
816a6aa0ebc0fcfe56debdb5c17f8ac1d66b9b19c5aee73f74e398c5bd601fa8
VLC Media Player version 2.2.1 suffers from a buffer overflow vulnerability.
8d54ac5735ae7e4cb830045676f5c7c657f8076814f587a26a777142ade24e68
TP-Link Archer CR-700 suffers from a cross site scripting vulnerability.
0e163a6e16369c19892e24b88484d24959a8547ea7924587bbff4c9f9772831a
NetMan 204 suffers from having a backdoor account being installed by default.
f2fff6d1bfb6a675b49c9757f603d7bf49b30faf9519240309de8b832ebaf70b
FreePBX versions prior to 13.0.188 remote root exploit.
c50d60263569d98ac322bb608bf8b7cb2500c42bb78316971aa0bc255d1c9a75
Adobe Flash versions 23 and below local-with-filesystem sandbox bypass via navigateToURL() and UI redressing. Proof of concept included.
d781b3b3524940c25a5fbcb3235ee478a3d76f94af8e3a9b1b38f55e89374500
AVer Information EH6108H+ hybrid DVR suffers from authentication bypass, hard-coded credential, and information exposure vulnerabilities.
542457f732586cd30de78d97744a7ccf237f6d15e517b95167adadf9ca79f1d4
The Skype installer suffers from a dll hijacking vulnerability.
0b3c640eeab0ab7cd7ec7ebff214b1a4bceb0e0789d4d92e6c3110b0a6a3749a
Ipod Video Converter suffers from a dll hijacking vulnerability.
61b579cc65a6eeaa34bb88ecc10504935818bcf88f2da16f27c50681e96bb7ea
This Metasploit module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) 2. libc6-dev-i386 (ubuntu), glibc-devel.i686
3ed3279ffabc1d769fe51805e802f0af5a86f32107a739ee1f3f3ec23f7e3010
This Metasploit module exploits a integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a technique published in NorthBit's Metaphor paper. First, we use a variant of their technique to read the address of a heap buffer located adjacent to a SampleIterator object as the video HTML element's videoHeight. Next, we read the vtable pointer from an empty Vector within the SampleIterator object using the video element's duration. This gives us a code address that we can use to determine the base address of libstagefright and construct a ROP chain dynamically. NOTE: the mediaserver process on many Android devices (Nexus, for example) is constrained by SELinux and thus cannot use the execve system call. To avoid this problem, the original exploit uses a kernel exploit payload that disables SELinux and spawns a shell as root. Work is underway to make the framework more amenable to these types of situations. Until that work is complete, this exploit will only yield a shell on devices without SELinux or with SELinux in permissive mode.
1a90f98f06bcb60d18f94ddf7062901f68d339cc68bbdab75711aaafaeffc5d2