A heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. There are two different methods used by this exploit, which have been named "writeNcall" and "sprayNbrute". The first, "writeNcall", was published by k'sOSe on Dec 17 2008. It uses pointers 2 and 3, as well as a writeable address. This method is quite reliable. However, it relies on the the operation on pointer 2. Newer versions of SQL server (>= 2000 SP3 at least) use a length value that is 8-byte aligned. This imposes a restriction that the code address that leads to the payload (jmp ecx in this case) must match the regex '.[08].[08].[08].[08]'. Unfortunately, no such addresses were found in memory. For this reason, the second method, "sprayNbrute" is used. First a heap-spray is used to prime memory with lots of copies of the address of our code that leads to the payload (jmp ecx). Next, brute force is used to try to guess a value for pointer 3 that points to the sprayed data. A new method of spraying the heap inside MSSQL is presented. Sadly, it only allows the creation of a bunch of 8000 byte buffers.
132206feb12275d819fe75a51931368d87b85cda3a85d8d40fc77ff46d0342f7This exploits a stack overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This Metasploit module was tested successfully against version 2.52. NOTE: The AntServer service does not restart, you only get one shot.
dd69ef386f696d716346934cec43c21dfd0dbc94932dacb7f54813b7d02a26caGentoo Linux Security Advisory 201001-3 - Multiple vulnerabilities were found in PHP, the worst of which leading to the remote execution of arbitrary code. Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Versions less than 5.2.12 are affected.
aff1f9bdb3800d54675a65671b47a6ba413ece16b6ab47e89279c16cfaa490a7Mandriva Linux Security Advisory 2009-220 - A vulnerability was found in xmltok_impl.c (expat) that with specially crafted XML could be exploited and lead to a denial of service attack. Related to CVE-2009-2625. This update fixes this vulnerability. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
67dc6d1212f994353a82a485d288d61d0b7548724d058323fe81e9918f9e3e00Obsession-Design Image-Gallery (ODIG) suffers from a cross site scripting vulnerability in display.php.
67ebb825b3f2baa0bff6f60efc7d1cd3546e972ec40cb9271a3b660b03f4cbf3Ofilter Player version 1.1 suffers from a local denial of service vulnerability.
e0ed25bbda9113df70b3136ceb58a4dcd8854632d5650648a4a6a82cc2bcc766Nemesis Player (NSP) version 2.0 and 1.1 Beta suffer from a local denial of service vulnerability.
34e3203485a0554043b5299f37eae4ab898276e5a4ac823a39381bea40f83fb6n.player version 1.12.07 suffers from a local heap overflow vulnerability.
79a03c844a6d6d4988244551f56620764782c97d129287738ae058b7ac5d2a2bSyScan 10 Call For Training - This year, SyScan'10 will be held in the 4 exciting cities of Singapore, Shanghai, Taipei and Ho chi Minh City (Vietnam).
631ff3b3df8293b277413e9c6e9be260f5023dbefaf56df6e7429e234a2aab54Small write up describing how to do windows account password guessing using the WinScanX tool.
f871d8ad96c9073ef9b788626275cd2d20520b82d1814c4ca508fbc240803fc0LineWeb suffers from remote SQL injection, cross site scripting, and local file inclusion vulnerabilities.
76148e9d4b6892748e00bc14b68af93863275c16681b231a1da721786bd583a5YP Portal MS-Pro Surumu version 1.0 suffers from a remote database download vulnerability.
d1e8ddf2b75be24444889283ab1c7c572b338c7862f13ec88d1d96b658897fdbSecunia Security Advisory - A security issue has been reported in KMSoft Guestbook, which can be exploited by malicious people to disclose sensitive information.
cc7c89a58c7a2766d56163e0e7cc788425bd20e47fce29a6006a502af126a14fSecunia Security Advisory - alnjm33 has reported a vulnerability in Deviant Art Clone, which can be exploited by malicious users to conduct SQL injection attacks.
d219e6703440d2ecc249137a1b332a965165e1d29db772d2b9e16a957fe5312dSecunia Security Advisory - Justin C. Klein Keane has discovered some vulnerabilities in Magento, which can be exploited by malicious users to conduct script insertion attacks.
d000089e31124a76fb2fc164ef8b3926faa40882e7c845754300be6193164f68Secunia Security Advisory - A vulnerability has been reported in Linear eMerge, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).
0a866aaa5f0f73a6849d438165db51b6550aed5be1b1520aaa13c700e3a78ac4Secunia Security Advisory - A security issue has been reported in CNR Hikaye Portal, which can be exploited by malicious people to disclose sensitive information.
1081a881694912af616c3f89fef334035c82d1a78ecc3635f13baaf5b036ff82Secunia Security Advisory - A vulnerability has been discovered in LXR Cross Referencer, which can be exploited by malicious people to conduct cross-site scripting attacks.
c84920cf3f3c9f32c2fa704f1024ccf65795d6351606380ffd38475e9eb431ccSecunia Security Advisory - A vulnerability has been discovered in the Events Manager plugin for WordPress, which can be exploited by malicious people to conduct SQL injection attacks.
ee12f5713c700f30bea938ee5679b775b3974dad2ff0c6fa4affe4683acde7e1Secunia Security Advisory - A vulnerability has been reported in the TPJobs component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks.
47bc56d1fdf5ab1fc858525768da910424a15d260433cca01367339478de2275Secunia Security Advisory - A vulnerability has been reported in Webace CMS, which can be exploited by malicious people to conduct SQL injection attacks.
2a73ab840caac38f1d351e6498514050fac5dd9075a1495beb60b569c2e1adb4Secunia Security Advisory - Some vulnerabilities have been discovered in uF.Phpaw, which can be exploited by malicious people to conduct cross-site scripting attacks.
e7ba9228c295210005e37d2b3ab2bd3c3dadecd31222a2d7520025f47fef0f3bSecunia Security Advisory - A security issue has been reported in PD Portal, which can be exploited by malicious people to disclose sensitive information.
87a3de795a06be92668c07d1ff5efe46cbcee1fed06db58c0033ea53a3dceddbSecunia Security Advisory - Some vulnerabilities have been discovered in F5 Data Manager, which can be exploited by malicious users to disclose potentially sensitive information.
8d773e5ac8384bc1f14eb1d0104d9fad47e1ae4d7076d6439617fa00bda4df91Secunia Security Advisory - A vulnerability has been discovered in Left 4 Dead Stats, which can be exploited by malicious people to conduct SQL injection attacks.
7ccbc8cb08bb35af332e2435048295e39a2de8732210ed3e9f27a163114c67d8
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed