This Metasploit module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.00. When sending a specially formatted packet to the Runtime.exe service, an attacker may be able to execute arbitrary code.
ad560ed7c2b5c2b085b3af27e95252ee83dd229a20d5349ee20068a8929d360fThis Metasploit module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2, and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. Originally found and posted by Luigi Auriemma.
180a8907d61d69a4ded59759afdcd03ea9f1757008b99fd69ef2a1c78f4f6f23This Metasploit module exploits a vulnerability found in DATAC Control International RealWin SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE packet via port 910, RealWin will try to create a file (which would be saved to C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user-supplied filename with a inline memcpy routine without proper bounds checking, which results a stack-based buffer overflow, allowing arbitrary remote code execution. Tested version: 2.0 (Build 6.1.8.10).
03bf98284439d992c47fe1e2bec66c01c8f4a83ae33e20afd12558dba1c061a7iDefense Security Advisory 06.14.11 - Remote exploitation of a heap overflow vulnerability in Adobe Systems Inc.'s Shockwave could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when Shockwave processes a maliciously constructed "DRCF" chunk. Specifically, when parsing a substructure inside of this chunk, it is possible to trigger a code path that leads to an incorrect string copy operation. The vulnerable code performs a certain operation on a heap-based buffer, which has the effect of overwriting the NULL terminator of the string in the middle of the copy operation. This will lead to an endless copy loop until the read operation hits the end of the memory segment. This operation writes beyond the allocated heap buffer, and can lead to the execution of arbitrary code. Shockwave Player version 11.5.9.620 and prior are vulnerable.
3b0ec1fef75086d0e796f5ce1dea0706958798bc9b403f2258059ba1d3e7612fiDefense Security Advisory 06.14.11 - Remote exploitation of a integer signedness vulnerability in Adobe Systems Inc.'s Shockwave could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when Shockwave processes a maliciously constructed "Lscr" record. This record can embed Lingo script code, which is Shockwave's scripting language. The vulnerability occurs when processing certain opcodes. Specifically, a 32-bit value from the file is used as an offset into a heap buffer without proper validation. When comparing the value to the maximum buffer size, a signed comparison is performed. By using a negative value, it is possible to index outside of the allocated buffer. This results in data outside of the buffer being treated as a valid pointer, and this pointer is later used as the destination of a write operation. This can corrupt an arbitrary memory address, which can lead to the execution of arbitrary code. Shockwave Player version 11.5.9.620 and prior are vulnerable.
952c40d913beb9b78faaad430aeb7a3d76e8f0453128f6534822d4e3d407462dThis Metasploit module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command, a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report, which results arbitrary code execution under the context of the user. The attack is carried out in three stages. The first stage sends the final payload to IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command so the process can find a valid ID for the Rename command. The last stage then triggers the vulnerability with the Rename command, and uses an egghunter to search for the shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to the small buffer size, which cannot even contain our ROP chain and the final payload.
159bcc6e1d0a284b89e943dc6ab734d6c2d4c9cfd17f99602199371978ca7d42iMatix Xitami versions 5.0a0 and below suffer from a NULL pointer vulnerability.
ed4eb779232d0541e6a573825d43e2d1a268a434b65a1704fa33716fe9783002This Metasploit module exploits multiple vulnerabilities found on IGSS 9's Data Server and Data Collector services. The initial approach is first by transferring our binary with Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then sending an EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run that payload with a CreateProcessA() function as a new thread.
296723ada905112b4245260cd9a74751a41e72054aba11b2d7103f9bf26ee23dThis Metasploit module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution.
d6e50055a18ef8053fcab8d3dbb3013cea1bef5f64706db8cc621234903f31fbMicrosoft HTML Help versions 6.1 and below suffer from a stack overflow vulnerability in itss.dll. Proof of concept code is included.
63d7b93fe2cec5016dfe9a4e1e8b07fef4a558529c5ee4aa1f0072cac167cf59Microsoft Host Integration Server versions 8.5.4224.0 and below suffer from various denial of service vulnerabilities. Proof of concept code included.
b474364648f18e70128a3bed86139662a21bebe079ca4f31deb3b6ac8f65812cMicrosoft Reader versions 2.1.1.3143 and below suffer a vulnerability where it is possible to write a NULL byte in an arbitrary location. Proof of concept code included.
3ba8f6dc4e42fd99a33bc3b292421fe6ab97580ae939c9c6bfcabd8622df678fMicrosoft Reader versions 2.1.1.3143 and below and versions 2.6.1.7169 and below suffer from an array overflow. Proof of concept code included.
4d6803b2e115710ffb40adf30048cdffe1f2e30da34ebb8fd1d8e8143ef757c5Microsoft Reader versions 2.1.1.3143 and below and versions 2.6.1.7169 and below suffer from an integer overflow caused by a controlled memmove. Proof of concept code included.
7c6ea2755683e12a4fe9202acbacb9ffec7e8f8694e803f4dd036882fd369d6bMicrosoft Reader versions 2.1.1.3143 and below and versions 2.6.1.7169 and below suffer from a heap overflow vulnerability caused by the allocation of a certain amount of memory and the copying of arbitrary data during the decompression of the sections. Proof of concept code included.
aba2258d2ada43d5ffdeebb0af357a63127b4b75f7e298f2dc74985d187deb68Microsoft Reader versions 2.1.1.3143 and below suffer from an integer overflow vulnerability during the handling of the number of pieces of the initial ITLS header at offset 0x10. Proof of concept code included.
692bf8bac783fa54db238ce06c110d02dc71aff8ff622da11ed1a7e4c7c863faA very large amount of vulnerabilities have been discovered in multiple SCADA systems. These ranges from buffer overflows to denial of service to directory traversal issues and more. Systems affected include Siemens Tecnomatix FactoryLink, Iconics GENESIS32 / GENESIS64, 7-Technologies IGSS, and DATAC RealWin. Included are 34 advisories and related proof of concepts.
8bd14c7eed99151c80ec9a25811b7e674194f88dc2e6c43bad5c81eaef69fdcdRealPlayer versions 14.0.1.633 and below suffers from a heap overflow during the handling of IVR files. This is caused by the allocation of a certain amount of data (frame size) decided by the attacker and the copying of another arbitrary amount on the same buffer. Proof of concept exploit included.
6e595a81866c87dd6d9792d4d8aed66218fd680ae847cde3941f629d9ad64923The Refractor 2 engine versions 1.50 and below suffer from a NULL pointer dereference vulnerability. Games such as Battlefield 2 and Battlefield 2142 are affected. Proof of concept code included.
c5154e86267664abbb20e9158985659f81c3f2ecfab82bcf19c80337dcd43227A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing font structures within Director files. While processing data within the PFR1 chunk, the process trusts a size value and compares a sign-extended counter against it within a copy loop. By providing a sufficiently large value, this flaw can be abused by a remote attacker to execute arbitrary code under the context of the user running the browser.
4d5ada7d22be428a2d78618407bc4f18c600a32d6c297d355b0ddcd166035cdeMicrosoft Fax Cover Page Editor version 5.2.3790.3959 suffers from a code execution vulnerability. Proof of concept exploit included.
a3f6948acaffdb44b32f3e6435cb282a054ca4e186fa85c9e03ca616a1f3c675Sielco Sistemi Winlog versions 2.07.00 and below suffer from a stack overflow vulnerability.
d94010aa6fc723c13bd86c84eb622d7260847f34750e323b8ea30ff2b09cc02eEcava IntegraXor versions 3.6.4000.0 and below suffer from a directory traversal vulnerability.
307bd3de5b07f9cc3534f5b020bae6c51c595e3537568512c5d329f78adbb0b9Wonderware InBatch versions 9.0sp1 and below suffer from a buffer overflow vulnerability. Use the related file to exploit it.
2b75b40f8b5d10b1aad656254bc228553139874595ce2d6695d6663ecfb75d50Call of Duty: Black Ops suffers from a remote memory leak vulnerability.
23f747fc13e4561d98d08374160cabdd2ae8c84df6b37dd2a2b12bf9451bf8d1
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed