VulnCheck KEV: CVE-2009-3129

Microsoft Office Excel allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset...

kernel: b43: allocate receive buffers big enough for max frame len + offset

The dmarx function in drivers/net/wireless/b43/dma.c in the Linux kernel before 2.6.39 does not properly allocate receive buffers, which allows remote attackers to cause a denial of service system crash via a crafted frame...

WordPress Plugin WP Bannerize 2.8.7 - 'ajax_sorter.php' SQL Injection

source: https://www.securityfocus.com/bid/49893/info The WP Bannerize plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the...

NCSS 07.1.21 - Array Overflow with Write2

NCSS 07.1.21 - Array Overflow with Write2 Luigi Auriemma Application: NCSS aka NCSS 2007 http://www.ncss.com/ncss.html Versions: = 07.1.21 Platforms: Windows Bug: array overflow with write2 Exploitation: file Date: 28 Sep 2011 Author: Luigi Auriemma e-mail: [email protected] web: aluigi.org 1...

kernel: drivers/scsi/mpt2sas: prevent heap overflows

drivers/scsi/mpt2sas/mpt2sasctl.c in the Linux kernel 2.6.38 and earlier does not validate 1 length and 2 offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service memory corruption, or obtain sensitive information from...

libmodplug: multiple vulnerabilities reported in <= 0.8.8.3

Stack-based buffer overflow in the CSoundFile::ReadS3M function in src/loads3m.cpp in libmodplug before 0.8.8.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted S3M file with an invalid offset...

Exploit writing tutorial part 3b - SEH Based Exploits - just another example

Автор: Peter Van Eeckhoutte corelanc0d3r Перевод: peaZ 8/2011 В предыдущей части руководства я объяснил основы создания SEH-эксплойтов. Я упомянул, что в самом простом случае полезная нагрузка SEH-эксплойта имеет такую структуру: junknextSEHSEHShellcode Я указал, что SEH должен быть перезаписан...

Solar FTP 2.1.1 PASV Buffer Overflow

!/usr/bin/python Title: Solar FTP 2.1.1 PASV Command PoC Authors: Craig Freyman @cd1zz and Gerardo Iglesias @iglesiasgg Tested: Windows XP SP3 Vendor Contacted July 11, 2011 Vendor Response: July 12, 2011 - Will fix ASAP, approved release of PoC. Notes: We found different offsets depending on the...

Analysis of the postgresql database attack techniques II-vulnerability warning-the black bar safety net

You can see we broke up in a field for the name, then we continue incrementing the offset value, to obtain the other field, as shown in Figure 9 and 1=2 union select 1,columnname,'3','4' from informationschema. the columns where tablename='admins' offset 2 limit 1-- ! Figure 9 Field passowrd is...

kernel: drivers/scsi/mpt2sas: prevent heap overflows

drivers/scsi/mpt2sas/mpt2sasctl.c in the Linux kernel 2.6.38 and earlier does not validate 1 length and 2 offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service memory corruption, or obtain sensitive information from...

CVE-2011-0664

Microsoft .NET Framework 2.0 SP1 and SP2, 3.5 Gold and SP1, 3.5.1, and 4.0, and Silverlight 4 before 4.0.60531.0, does not properly validate arguments to unspecified networking API functions, which allows remote attackers to execute arbitrary code via 1 a crafted XAML browser application aka XBAP...

Adobe Shockwave rcsL Trusted Offset Chunk Processing Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the...

DEC Alpha Linux <= 3.0 Local Root Exploit

Exploit for linux platform in category local exploits / DEC Alpha Linux include include include include include include include include include include define SYSosfwait4 7 define SOCKOFFSET 552 / Offset of skdestruct fptr in sock struct, change for your kernel / define PAGESIZE 8192 / DEC alpha...

Linux Kernel 2.6.283.0 (DEC Alpha Linux) - Local Privilege Escalation

Linux Kernel 2.6.283.0 DEC Alpha Linux - Local Privilege Escalation / DEC Alpha Linux include include include include include include include include include include define SYSosfwait4 7 define SOCKOFFSET 552 / Offset of skdestruct fptr in sock struct, change for your kernel / define PAGESIZE 819...

RHEL 6 : Red Hat Enterprise Linux 6.1 kernel (RHSA-2011:0542)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:0542 advisory. - kvm: arch/x86/kvm/x86.c: reading uninitialized stack memory CVE-2010-3881 - kernel: unlimited socket backlog DoS CVE-2010-4251,...

kernel: drivers/scsi/mpt2sas: prevent heap overflows

drivers/scsi/mpt2sas/mpt2sasctl.c in the Linux kernel 2.6.38 and earlier does not validate 1 length and 2 offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service memory corruption, or obtain sensitive information from...

Sonique 1.96 Buffer Overflow

Application: Sonique BOF EIP Overwrite Version: 1.96 Author: Securityxxxpert Date Submitted: May 17, 2011 Download Link: http://www.tucows.com/preview/193562 Tested on: Windows XP SP3 EIP Overwritten: 239 Bytes Pita Bytes: 0x00 0x83 0x88 0x93 Notes: Not universal, find your own offsets if not SP3...

CVE-2011-1522

Multiple SQL injection vulnerabilities in the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery function in Doctrine 1.x before 1.2.4 and 2.x before 2.0.3 allow remote attackers to execute arbitrary SQL commands via the 1 limit or 2 offset field...

DEBIAN-CVE-2011-1522

Multiple SQL injection vulnerabilities in the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery function in Doctrine 1.x before 1.2.4 and 2.x before 2.0.3 allow remote attackers to execute arbitrary SQL commands via the 1 limit or 2 offset field...

CVE-2011-1522

Multiple SQL injection vulnerabilities in the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery function in Doctrine 1.x before 1.2.4 and 2.x before 2.0.3 allow remote attackers to execute arbitrary SQL commands via the 1 limit or 2 offset field...