This Metasploit module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.00. When sending a specially formatted packet to the Runtime.exe service, an attacker may be able to execute arbitrary code.
ad560ed7c2b5c2b085b3af27e95252ee83dd229a20d5349ee20068a8929d360f
This Metasploit module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2, and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. Originally found and posted by Luigi Auriemma.
180a8907d61d69a4ded59759afdcd03ea9f1757008b99fd69ef2a1c78f4f6f23
This Metasploit module exploits a vulnerability found in DATAC Control International RealWin SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE packet via port 910, RealWin will try to create a file (which would be saved to C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user-supplied filename with a inline memcpy routine without proper bounds checking, which results a stack-based buffer overflow, allowing arbitrary remote code execution. Tested version: 2.0 (Build 6.1.8.10).
03bf98284439d992c47fe1e2bec66c01c8f4a83ae33e20afd12558dba1c061a7
iDefense Security Advisory 06.14.11 - Remote exploitation of a heap overflow vulnerability in Adobe Systems Inc.'s Shockwave could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when Shockwave processes a maliciously constructed "DRCF" chunk. Specifically, when parsing a substructure inside of this chunk, it is possible to trigger a code path that leads to an incorrect string copy operation. The vulnerable code performs a certain operation on a heap-based buffer, which has the effect of overwriting the NULL terminator of the string in the middle of the copy operation. This will lead to an endless copy loop until the read operation hits the end of the memory segment. This operation writes beyond the allocated heap buffer, and can lead to the execution of arbitrary code. Shockwave Player version 11.5.9.620 and prior are vulnerable.
3b0ec1fef75086d0e796f5ce1dea0706958798bc9b403f2258059ba1d3e7612f
iDefense Security Advisory 06.14.11 - Remote exploitation of a integer signedness vulnerability in Adobe Systems Inc.'s Shockwave could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when Shockwave processes a maliciously constructed "Lscr" record. This record can embed Lingo script code, which is Shockwave's scripting language. The vulnerability occurs when processing certain opcodes. Specifically, a 32-bit value from the file is used as an offset into a heap buffer without proper validation. When comparing the value to the maximum buffer size, a signed comparison is performed. By using a negative value, it is possible to index outside of the allocated buffer. This results in data outside of the buffer being treated as a valid pointer, and this pointer is later used as the destination of a write operation. This can corrupt an arbitrary memory address, which can lead to the execution of arbitrary code. Shockwave Player version 11.5.9.620 and prior are vulnerable.
952c40d913beb9b78faaad430aeb7a3d76e8f0453128f6534822d4e3d407462d
This Metasploit module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command, a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report, which results arbitrary code execution under the context of the user. The attack is carried out in three stages. The first stage sends the final payload to IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command so the process can find a valid ID for the Rename command. The last stage then triggers the vulnerability with the Rename command, and uses an egghunter to search for the shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to the small buffer size, which cannot even contain our ROP chain and the final payload.
159bcc6e1d0a284b89e943dc6ab734d6c2d4c9cfd17f99602199371978ca7d42
iMatix Xitami versions 5.0a0 and below suffer from a NULL pointer vulnerability.
ed4eb779232d0541e6a573825d43e2d1a268a434b65a1704fa33716fe9783002
This Metasploit module exploits multiple vulnerabilities found on IGSS 9's Data Server and Data Collector services. The initial approach is first by transferring our binary with Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then sending an EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run that payload with a CreateProcessA() function as a new thread.
296723ada905112b4245260cd9a74751a41e72054aba11b2d7103f9bf26ee23d
This Metasploit module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution.
d6e50055a18ef8053fcab8d3dbb3013cea1bef5f64706db8cc621234903f31fb
Microsoft HTML Help versions 6.1 and below suffer from a stack overflow vulnerability in itss.dll. Proof of concept code is included.
63d7b93fe2cec5016dfe9a4e1e8b07fef4a558529c5ee4aa1f0072cac167cf59
Microsoft Host Integration Server versions 8.5.4224.0 and below suffer from various denial of service vulnerabilities. Proof of concept code included.
b474364648f18e70128a3bed86139662a21bebe079ca4f31deb3b6ac8f65812c
Microsoft Reader versions 2.1.1.3143 and below suffer a vulnerability where it is possible to write a NULL byte in an arbitrary location. Proof of concept code included.
3ba8f6dc4e42fd99a33bc3b292421fe6ab97580ae939c9c6bfcabd8622df678f
Microsoft Reader versions 2.1.1.3143 and below and versions 2.6.1.7169 and below suffer from an array overflow. Proof of concept code included.
4d6803b2e115710ffb40adf30048cdffe1f2e30da34ebb8fd1d8e8143ef757c5
Microsoft Reader versions 2.1.1.3143 and below and versions 2.6.1.7169 and below suffer from an integer overflow caused by a controlled memmove. Proof of concept code included.
7c6ea2755683e12a4fe9202acbacb9ffec7e8f8694e803f4dd036882fd369d6b
Microsoft Reader versions 2.1.1.3143 and below and versions 2.6.1.7169 and below suffer from a heap overflow vulnerability caused by the allocation of a certain amount of memory and the copying of arbitrary data during the decompression of the sections. Proof of concept code included.
aba2258d2ada43d5ffdeebb0af357a63127b4b75f7e298f2dc74985d187deb68
Microsoft Reader versions 2.1.1.3143 and below suffer from an integer overflow vulnerability during the handling of the number of pieces of the initial ITLS header at offset 0x10. Proof of concept code included.
692bf8bac783fa54db238ce06c110d02dc71aff8ff622da11ed1a7e4c7c863fa
A very large amount of vulnerabilities have been discovered in multiple SCADA systems. These ranges from buffer overflows to denial of service to directory traversal issues and more. Systems affected include Siemens Tecnomatix FactoryLink, Iconics GENESIS32 / GENESIS64, 7-Technologies IGSS, and DATAC RealWin. Included are 34 advisories and related proof of concepts.
8bd14c7eed99151c80ec9a25811b7e674194f88dc2e6c43bad5c81eaef69fdcd
RealPlayer versions 14.0.1.633 and below suffers from a heap overflow during the handling of IVR files. This is caused by the allocation of a certain amount of data (frame size) decided by the attacker and the copying of another arbitrary amount on the same buffer. Proof of concept exploit included.
6e595a81866c87dd6d9792d4d8aed66218fd680ae847cde3941f629d9ad64923
The Refractor 2 engine versions 1.50 and below suffer from a NULL pointer dereference vulnerability. Games such as Battlefield 2 and Battlefield 2142 are affected. Proof of concept code included.
c5154e86267664abbb20e9158985659f81c3f2ecfab82bcf19c80337dcd43227
A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing font structures within Director files. While processing data within the PFR1 chunk, the process trusts a size value and compares a sign-extended counter against it within a copy loop. By providing a sufficiently large value, this flaw can be abused by a remote attacker to execute arbitrary code under the context of the user running the browser.
4d5ada7d22be428a2d78618407bc4f18c600a32d6c297d355b0ddcd166035cde
Microsoft Fax Cover Page Editor version 5.2.3790.3959 suffers from a code execution vulnerability. Proof of concept exploit included.
a3f6948acaffdb44b32f3e6435cb282a054ca4e186fa85c9e03ca616a1f3c675
Sielco Sistemi Winlog versions 2.07.00 and below suffer from a stack overflow vulnerability.
d94010aa6fc723c13bd86c84eb622d7260847f34750e323b8ea30ff2b09cc02e
Ecava IntegraXor versions 3.6.4000.0 and below suffer from a directory traversal vulnerability.
307bd3de5b07f9cc3534f5b020bae6c51c595e3537568512c5d329f78adbb0b9
Wonderware InBatch versions 9.0sp1 and below suffer from a buffer overflow vulnerability. Use the related file to exploit it.
2b75b40f8b5d10b1aad656254bc228553139874595ce2d6695d6663ecfb75d50
Call of Duty: Black Ops suffers from a remote memory leak vulnerability.
23f747fc13e4561d98d08374160cabdd2ae8c84df6b37dd2a2b12bf9451bf8d1