Code injection

Cisco IOS 12.2 and 12.4, when NAT Skinny Call Control Protocol SCCP Fragmentation Support is enabled, allows remote attackers to cause a denial of service device reload via segmented SCCP messages, aka CSCsg22426, a different vulnerability than CVE-2008-3811...

CVE-2008-3811

Cisco IOS 12.2 and 12.4, when NAT Skinny Call Control Protocol SCCP Fragmentation Support is enabled, allows remote attackers to cause a denial of service device reload via segmented SCCP messages, aka Cisco Bug ID CSCsi17020, a different vulnerability than CVE-2008-3810...

CVE-2008-3810

Cisco IOS 12.2 and 12.4, when NAT Skinny Call Control Protocol SCCP Fragmentation Support is enabled, allows remote attackers to cause a denial of service device reload via segmented SCCP messages, aka CSCsg22426, a different vulnerability than CVE-2008-3811...

CVE-2008-3810

Cisco IOS 12.2 and 12.4 are vulnerable when NAT Skinny Call Control Protocol (SCCP) Fragmentation Support is enabled. A series of segmented SCCP messages can cause a reload (DoS) on affected devices. The vulnerability is tied to the NAT SCCP Fragmentation feature introduced in 12.4(6)T, with CVSS...

CVE-2008-3811

Cisco IOS 12.2 and 12.4 devices with NAT SCCP Fragmentation Support enabled are affected by CVE-2008-3811. The vulnerability allows remote attackers to cause a denial of service (device reload) via segmented SCCP messages. Cisco’s advisory indicates fixes are available and provides a workaround: ...

DEBIAN-CVE-2008-3145

The fragmentaddwork function in epan/reassemble.c in Wireshark 0.8.19 through 1.0.1 allows remote attackers to cause a denial of service crash via a series of fragmented packets with non-sequential fragmentation offset values, which lead to a buffer over-read...

CVE-2007-6282

The IPsec implementation in Linux kernel before 2.6.25 allows remote routers to cause a denial of service crash via a fragmented ESP packet in which the first fragment does not contain the entire ESP header and IV...

Code injection

A certain pseudo-random number generator PRNG algorithm that uses XOR and 2-bit random hops aka "Algorithm X2", as used in OpenBSD 2.6 through 3.4, Mac OS X 10 through 10.5.1, FreeBSD 4.4 through 7.0, and DragonFlyBSD 1.0 through 1.10.1, allows remote attackers to guess sensitive values such as I...

CVE-2008-1147

A certain pseudo-random number generator PRNG algorithm that uses XOR and 2-bit random hops aka "Algorithm X2", as used in OpenBSD 2.6 through 3.4, Mac OS X 10 through 10.5.1, FreeBSD 4.4 through 7.0, and DragonFlyBSD 1.0 through 1.10.1, allows remote attackers to guess sensitive values such as I...

CVE-2008-1148

A certain pseudo-random number generator PRNG algorithm that uses ADD with 0 random hops aka "Algorithm A0", as used in OpenBSD 3.5 through 4.2 and NetBSD 1.6.2 through 4.0, allows remote attackers to guess sensitive values such as 1 DNS transaction IDs or 2 IP fragmentation IDs by observing a...

Design/Logic Flaw

A certain pseudo-random number generator PRNG algorithm that uses ADD with 0 random hops aka "Algorithm A0", as used in OpenBSD 3.5 through 4.2 and NetBSD 1.6.2 through 4.0, allows remote attackers to guess sensitive values such as 1 DNS transaction IDs or 2 IP fragmentation IDs by observing a...

CVE-2008-1147

CVE-2008-1147 describes a weakness in a PRNG that uses XOR and 2-bit random hops (Algorithm X2) used in OpenBSD 2.6–3.4, macOS 10–10.5.1, FreeBSD 4.4–7.0, and DragonFlyBSD 1.0–1.10.1. The vulnerability allows remote attackers to infer sensitive values such as IP fragmentation IDs by observing a s...

CVE-2008-1148

A certain pseudo-random number generator PRNG algorithm that uses ADD with 0 random hops aka "Algorithm A0", as used in OpenBSD 3.5 through 4.2 and NetBSD 1.6.2 through 4.0, allows remote attackers to guess sensitive values such as 1 DNS transaction IDs or 2 IP fragmentation IDs by observing a...

urlevasion.txt

I dont know if its new but i code it during a PentTest and i would like to share it with you. It is based on code developed By sinhack research labs: http://sinhack.net/URLFilteringEvasion/sakeru.tx Description: "Fortinet's URL blocking functionality can be bypassed by specially-crafted HTTP...

TippingPoint detection bypass

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC-SecurityPre-Advisory3ComTippingPointIPSDetectionBypass2.pdf CYBSEC S.A. www.cybsec.com Pre-Advisory Name: TippingPoint detection bypass...

OpenBSD - ICMPv6 Fragment Remote Execution

The PoC executes the shellcode int 3 and returns. It overwrites the extfree function pointer on the mbuf and forces a mfreem on the overflowed packet. The Impacket library is used to craft and send packets http://oss.coresecurity.com/projects/impacket.html or download from Debian repositories...

snort-dos.txt

/ DOS Snort Inline Affected Versions: 2.6.1.1, 2.6.1.2, 2.7.0beta Requirements : Frag3 Enabled, Inline, Linux, ipconntrack disabled Antimatt3r [email protected] Offset needs to be supplied that would cause reassembly for different snort fragmentation reassembly policies. Since the first packet...

Snort 2.6.1.1/2.6.1.2/2.7.0 (fragementation) Remote DoS Exploit

Exploit for multiple platform in category dos / poc =============================================================== Snort 2.6.1.1/2.6.1.2/2.7.0 fragementation Remote DoS Exploit =============================================================== / DOS Snort Inline Affected Versions: 2.6.1.1, 2.6.1.2,...

Snort 2.6.1.1/2.6.1.2/2.7.0 (fragementation) Remote DoS Exploit

No description provided by source. / DOS Snort Inline Affected Versions: 2.6.1.1, 2.6.1.2, 2.7.0beta Requirements : Frag3 Enabled, Inline, Linux, ipconntrack disabled Antimatt3r [email protected] Offset needs to be supplied that would cause reassembly for different snort fragmentation reassemb...

MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow

This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. This module...