what you don't know can hurt you
Showing 1 - 25 of 25 RSS Feed


Posted Dec 13, 2000
Authored by synnergy, Juan M. Bello Rivas | Site synnergy.net

Overwriting the .dtors section - This paper presents a concise explanation of a technique to gain control of a C program's flow of execution given that it has been compiled with gcc. This exploit technique has several advantages over changing the stack pointer, including ease of determining the exact position where we want to write and point to our shellcode, and is simpler than a GOT patch.

tags | shellcode
MD5 | f693cc32d668324c2205e77036aa3fd1

Related Files

Canon TR150 Driver Privilege Escalation
Posted Aug 11, 2021
Authored by Jacob Baines, Shelby Pace | Site metasploit.com

Canon TR150 print drivers versions and below allow local users to read/write files within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll with a malicious DLL at the right time whilst running the C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program, which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation will grant attackers code execution as the NT AUTHORITY\SYSTEM user. This Metasploit module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.

tags | exploit, local, code execution
systems | windows
advisories | CVE-2021-38085
MD5 | b54013c8b14ce15b29f5eb5b487ecde4
nginx 1.20.0 DNS Resolver Off-By-One Heap Write
Posted May 26, 2021
Authored by Markus Vervier, Eric Sesterhenn, Luis Merino

An off-by-one error in ngx_resolver_copy() while processing DNS responses allows a network attacker to write a dot character ('.', 0x2E) out of bounds in a heap allocated buffer. The vulnerability can be triggered by a DNS response in reply to a DNS request from nginx when the resolver primitive is configured. A specially crafted packet allows overwriting the least significant byte of next heap chunk metadata with 0x2E. A network attacker capable of providing DNS responses to a nginx server can achieve Denial-of-Service and likely remote code execution. Due to the lack of DNS spoofing mitigations in nginx and the fact that the vulnerable function is called before checking the DNS Transaction ID, remote attackers might be able to exploit this vulnerability by flooding the victim server with poisoned DNS responses in a feasible amount of time.

tags | exploit, remote, spoof, code execution
advisories | CVE-2021-23017
MD5 | cc733efc4bba424a92fb952d1eefd927
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
Posted May 18, 2020
Authored by h00die, Nick Frichette | Site metasploit.com

This Metasploit module exploits a command execution in Pi-Hole versions 4.4 and below. A new blocklist is added, and then an update is forced (gravity) to pull in the blocklist content. PHP content is then written to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporter, effectively running a privilege escalation. Phase 2 writes our payload to teleporter.php, overwriting the content. Lastly, the phase 1 PHP file is called in the web root, which launches our payload in teleporter.php with root privileges.

tags | exploit, web, root, php
advisories | CVE-2020-11108
MD5 | 45a7854959d2d37b594d4f7a3b3c052e
WordPress InfiniteWP Client Authentication Bypass
Posted Feb 10, 2020
Authored by wvu, WebARX | Site metasploit.com

This Metasploit module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGIN_FILE. The module will attempt to retrieve the original PLUGIN_FILE contents and restore them after payload execution. If VerifyContents is set, which is the default setting, the module will check to see if the restored contents match the original. Note that a valid administrator username is required for this module. WordPress versions greater than and equal to 4.9 are currently not supported due to a breaking WordPress API change. Tested against 4.8.3.

tags | exploit, arbitrary, php
MD5 | 4b5ae8fdf2e5fd5022e3f24e30cac4b4
Mac OS X libxpc MITM Privilege Escalation
Posted Nov 28, 2018
Authored by saelo | Site metasploit.com

This Metasploit module exploits a vulnerability in libxpc on macOS versions 10.13.3 and below. The task_set_special_port API allows callers to overwrite their bootstrap port, which is used to communicate with launchd. This port is inherited across forks: child processes will use the same bootstrap port as the parent. By overwriting the bootstrap port and forking a child processes, we can now gain a MitM position between our child and launchd. To gain root we target the sudo binary and intercept its communication with opendirectoryd, which is used by sudo to verify credentials. We modify the replies from opendirectoryd to make it look like our password was valid.

tags | exploit, root
advisories | CVE-2018-4237
MD5 | 45269b24778bad6f66dc74a38caefbe2
Red Hat Security Advisory 2014-0578-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0578-01 - OpenStack Compute launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances, managing networks, and controlling access through users and projects. It was found that overwriting the disk inside of an instance with a malicious image, and then switching the instance to rescue mode, could potentially allow an authenticated user to access arbitrary files on the compute host depending on the file permissions and SELinux constraints of those files. Only setups that used libvirt to spawn instances and which had the use of cow images disabled were affected.

tags | advisory, arbitrary
systems | linux, redhat
advisories | CVE-2014-0134
MD5 | c961d7733af86ece5abefa1b729783ba
Vtiger Install Unauthenticated Remote Command Execution
Posted Apr 8, 2014
Authored by Jonathan Borgeaud | Site metasploit.com

This Metasploit module exploits an arbitrary command execution vulnerability in the Vtiger install script. This Metasploit module is set to ManualRanking due to this module overwriting the target database configuration, which may result in a broken web app, and you may not be able to get a session again.

tags | exploit, web, arbitrary
advisories | CVE-2014-2268
MD5 | 59313941eda9be4027ca7400e3f0bc3d
TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow
Posted Apr 7, 2012
Authored by rgod, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in TRENDnet SecurView Internet Camera's ActiveX control. By supplying a long string of data as the sFilter argument of the OpenFileDlg() function, it is possible to trigger a buffer overflow condition due to WideCharToMultiByte (which converts unicode back to) overwriting the stack more than it should, which results arbitrary code execution under the context of the user.

tags | exploit, overflow, arbitrary, code execution, activex
advisories | OSVDB-80661
MD5 | 15d2d978ad455bf415028fd1a31ba6b3
HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow
Posted Jan 20, 2012
Authored by sinn3r, Aniway, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the "_OVBuildPath" function within "ov.dll". There are no stack cookies, so exploitation is achieved by overwriting the saved return address. The vulnerability is due to the use of the function "_OVConcatPath" which finally uses "strcat" in a insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation path.

tags | exploit, overflow, arbitrary, cgi
advisories | CVE-2011-3167, OSVDB-76775
MD5 | d931eb96f3799819a223e13af334d81a
ScriptFTP 3.3 Remote Buffer Overflow
Posted Oct 10, 2011
Authored by mr_me, TecR0c | Site metasploit.com

AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow vulnerability that is triggered when processing a sufficiently long filename during a FTP LIST command resulting in overwriting the exception handler. Social engineering of executing a specially crafted ftp file by double click will result in connecting to our malicious server and perform arbitrary code execution which allows the attacker to gain the same rights as the user running ScriptFTP.

tags | exploit, remote, overflow, arbitrary, code execution
advisories | CVE-2011-3976, OSVDB-75633
MD5 | e540826b848295b079627e0d679021e3
iDEFENSE Security Advisory 2011-06-14.2
Posted Jun 18, 2011
Authored by iDefense Labs, Luigi Auriemma | Site idefense.com

iDefense Security Advisory 06.14.11 - Remote exploitation of a heap overflow vulnerability in Adobe Systems Inc.'s Shockwave could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when Shockwave processes a maliciously constructed "DRCF" chunk. Specifically, when parsing a substructure inside of this chunk, it is possible to trigger a code path that leads to an incorrect string copy operation. The vulnerable code performs a certain operation on a heap-based buffer, which has the effect of overwriting the NULL terminator of the string in the middle of the copy operation. This will lead to an endless copy loop until the read operation hits the end of the memory segment. This operation writes beyond the allocated heap buffer, and can lead to the execution of arbitrary code. Shockwave Player version and prior are vulnerable.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2011-0335
MD5 | c08e51afeba91a7726f88e231df377d9
HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow
Posted Mar 24, 2011
Authored by jduck | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from "main" within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the "getProxiedStorageAddress" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.

tags | exploit, overflow, arbitrary, cgi
advisories | CVE-2010-1961, OSVDB-65428
MD5 | 5c3b18d426006a838fbb00784751d8a2
Zero Day Initiative Advisory 10-056
Posted Apr 6, 2010
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 10-056 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sun Java Runtime. Authentication is not required to exploit this vulnerability. The specific flaw exists within the code responsible for ensuring proper privileged execution of methods. If an untrusted method in an applet attempts to call a method that requires privileges, Java will walk the call stack and for each entry verify that the method called is defined within a class that has that privilege. However, this does not take into account an untrusted object that has extended the trusted class without overwriting the target method. Additionally, this can be bypassed by abusing a similar trust issue with interfaces. An attacker can leverage these insecurities to execute vulnerable code under the context of the user invoking the JRE.

tags | advisory, java, remote, arbitrary
advisories | CVE-2010-0840
MD5 | 6041ddbcce4537467aef0c1c404932c0
mIRC <= 6.34 PRIVMSG Handling Stack Overflow
Posted Nov 26, 2009
Authored by patrick | Site metasploit.com

This Metasploit module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier. By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads may be necessary. This Metasploit module is based on the code by SkD.

tags | exploit, overflow
advisories | CVE-2008-4449
MD5 | 1fa2d5200e77bdabfce3997f80846de0
Debian Linux Security Advisory 1722-1
Posted Feb 11, 2009
Authored by Debian | Site debian.org

Debian Security Advisory 1722-1 - Derek Chan discovered that the PAM module for the Heimdal Kerberos implementation allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to local privilege escalation.

tags | advisory, denial of service, local
systems | linux, debian
advisories | CVE-2009-0361
MD5 | d997aec80b7bec41fe97a3e75c5deb5d
Gentoo Linux Security Advisory 200612-5
Posted Dec 11, 2006
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory GLSA 200612-05 - Kees Cook of Ubuntu discovered that 'KLaola::readBigBlockDepot()' in klaola.cc fills 'num_of_bbd_blocks' while reading a .ppt (PowerPoint) file without proper sanitizing, resulting in an integer overflow subsequently overwriting the heap with parts of the file being read. Versions less than 1.5.0 are affected.

tags | advisory, overflow
systems | linux, gentoo, ubuntu
MD5 | 94307aea25f2bec6f3956f87723fb498
Hardened-PHP Project Security Advisory 2005-20.79
Posted Nov 1, 2005
Authored by Stefan Esser, Hardened-PHP Project | Site hardened-php.net

During the development of the Hardening-Patch which adds security hardening features to the PHP codebase, several vulnerabilities within PHP were discovered. This advisory describes one of these flaws concerning a weakness in the file upload code, that allows overwriting the GLOBALS array when register_globals is turned on. Overwriting this array can lead to unexpected security holes in code assumed secure. This vulnerability can allow for remote PHP code execution. Affected versions are PHP4 versions 4.4.0 and below and PHP5 versions 5.0.5 and below.

tags | advisory, remote, php, vulnerability, code execution, file upload
MD5 | a6efeac60044f35b41165f2b5f3e379f
Posted Aug 28, 2005
Authored by c0ntex | Site open-security.org

This short paper discusses the method of overwriting a pointer used in a function for the sake of overwriting the associated entry in the Global Offset Table (GOT) which in turn allows for execution flow redirection.

tags | paper
MD5 | ffbeb2e8b0768454f781f66654e95478
Posted Apr 25, 2002
Authored by Peter Grundl

A format string bug in Foundstone Fscan v1.12 for Windows can result in a malicious service banner overwriting the stack and the EIP on the PC performing the scanning, if banner grabbing is enabled. Fix available here.

systems | windows
MD5 | 2de3733540166fe27765c7a79b8f3da9
Posted Aug 31, 2000
Authored by n30

Product: Account Manager, Versions: ALL including LITE and PRO haven't been able to test ENTERPRISE, OS: Unix and Winnt, Vendor: Notified, http://www.cgiscriptcenter.com/, The Problem: The Script allows any remote user access to the Administration Control Panel through overwriting the Admin Password with one of their own making.

tags | exploit, remote, web
systems | windows, unix
MD5 | d688ddb050336bd0b13139337235f9c8
Posted Jul 11, 2000
Site suse.de

SuSE Security Advisory - Tnef v0-124 and below contains a remote vulnerability. Tnef extracts eMails compressed with MS-Outlook. The compressed file includes the path name to which the decompressed data should be written. When specifing a path name like /etc/passwd and sending a compressed mail to root an adversary could gain remote root access to a system by overwriting the local password database. The same could happen if a mail virus scanner, like AMaVIS, process a malicious mail.

tags | remote, local, root, virus
systems | linux, suse
MD5 | 05a50617640137638c7ed85fbfe25ee1
Posted Jun 2, 2000
Authored by Delphis Security Team | Site delphisplc.com

Delphis Consulting Plc Security Team Advisory DST2K0003 - Buffer Overrun in NAI WebShield SMTP v4.5.44 Management Tool for Microsoft Windows NT v4.0 Server (SP6). Any user who can connect to tcp port 9999 can obtain a copy of the configuration. Secondly, if you pass an oversized buffer of 208 bytes or more within one of the configuration parameters the service will crash overwriting the stack but and the EIP with what ever was passed within the parameter.

tags | exploit, overflow, tcp
systems | windows
MD5 | 371ad1628164e4d12f809de3b737921b
Posted Jun 2, 2000
Authored by Delphis Security Team | Site delphisplc.com

Delphis Consulting Plc Security Team Advisory DST2K0007 - Buffer Overrun in ITHouse Mail Server v1.04 for Microsoft Windows NT v4.0 Workstation (SP6). Sending an email via SMTP to an IT House Mail Server with a recipient's name in excess of 2270 bytes causes the IT House Mail Server to buffer overrun overwriting the EIP, allowing an attacker to execute arbitrary code on the the server.

tags | exploit, overflow, arbitrary
systems | windows
MD5 | 9e9784f5d3fcb41dea828855795886c6
Posted Jun 2, 2000
Authored by Delphis Security Team | Site delphisplc.com

Delphis Consulting Plc Security Team Advisory DST2K0008 - Buffer Overrun in Sambar Server 4.3 (Production). By using the default finger script shipped with Sambar server it is possible to cause an Buffer overrun in sambar.dll overwriting the EIP allowing the execution of arbitry code.

tags | exploit, overflow
MD5 | c78f2fd93ab8ff311d6559e2ef504664
Posted May 31, 2000
Site cerberus-infosec.co.uk

Cerberus Information Security Advisory (CISADV000525) - The Cerberus Security Team has found a remotely exploitable buffer overrun in two executables that come with PDGSoft's Shopping Cart. Redirect.exe and changepw.exe are both accessable over the web to all users. If supplied an overly long query string both will overflow an internal buffer overwriting the saved return address.

tags | web, overflow
MD5 | 9a4fd0b4f096036bede530683ddaacf3
Page 1 of 1

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By