Next Page >>
Proofs of Concept
echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload
C) "Cherokee" log escape sequence injection
The following Proof Of Concept can be used in order to verify the
vulnerability.
curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
D) "thttpd" log escape sequence injection
------------------------------------------------------------------------------------------------------------------------
These vulnerabilities were discovered and researched by Andrew Horton
(urbanadventurer) from MorningStar Security.
8. Technical Description / Proof of Concept
------------------------------------------------------------------------------------------------------------------------
8.1 Introduction
Many past advisories have been published for Cute News. An unpatched LFI
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].
8. *Technical Description / Proof of Concept Code*
8.1. *Excel / Word - OfficeArtSpgr container - invalid recType value
leads to attacker controlled pointer usage [MSRC 9368]*
----------------------------------------------------------------------------------------------
These vulnerabilities were discovered and researched by Andrew Horton
(urbanadventurer) from MorningStar Security.
8. Technical Description / Proof of Concept
----------------------------------------------------------------------------------------------
8.1 Introduction
Open Auto Classifieds powers many car dealer websites. No advisories for
*Credits*
This vulnerability was discovered by Lucas Lavarello from the CORE
Security Consulting Services (CORE SCS) team.
*Technical Description / Proof of Concept Code*
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
*Credits*
This vulnerability was discovered by Lucas Lavarello from the CORE
Security Consulting Services (CORE SCS) team.
*Technical Description / Proof of Concept Code*
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
O 0 LastErr 00000000 ERROR_SUCCESS
EFL 00250202 (NO,NB,NE,A,NS,PO,GE,G)
...
The rest is omitted.
For more information see Proof of Concept screen shot.
Proof of Concept code:
http://www.kil13r.info/data/aaa.zip
Proof of Concept screen shot:
7. *Credits*
This vulnerability was discovered by Nicolas Economou from Core Security
Technologies. Technical analysis and proof-of-concept tools were
developed by Nicolas Economou and Diego Juarez from Core's Exploit
Writers Team.
8. *Technical Description / Proof of Concept Code*
Olea and Nahuel Riva from Core Security Technologies. Publication of
this advisory was coordinated by Carlos Sarraute from Core Security
Advisories team.
8. *Technical Description / Proof of Concept Code*
XnView is prone to a security vulnerability when processing MBM files.
The version used in our tests in XnView 1.97.4 running on Windows 2000
SP4. By enticing the user of XnView to open a specially crafted file, a
remote attacker may exploit this vulnerability to gain arbitrary code
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].
8. *Technical Description / Proof of Concept Code*
An exploitable vulnerability was found in Windows Movie Maker, which can
be triggered by a remote attacker by sending a specially crafted .MSWMM
file and enticing the user to open it. This vulnerability results in a
write access violation and can lead to remote code execution.
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Consulting Services (SCS). Additional research
was made by Federico Muttis from Core Security Exploit Writers Team (EWT).
8. *Technical Description / Proof of Concept Code*
Internet Explorer uses a feature known as URL Security Zones [2], which
defines a set of privileges for Web sites and applications depending on
their apparent level of trustworthiness. The zones available in the
product include:
The WebCacheCleaner ActiveX Control provides the method FileDelete()
which, working as advertised, allows the attacker to delete arbitrary
files on the client.
=== Proof of Concept 1 (VBScript) ===
dim o
Set o = CreateObject("MLWebCacheCleaner.WebCacheCleaner.1")
o.FileDelete("c:\bla\bla")
Since more then enough \..\..\ will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
See Proof of Concept exploit at the bottom of this advisory.
2. Remote FTP DoS
When connecting to a malformed FTP, the Unreal Commander sends a CWD /
command. If the malformed FTP replies with a "550 CWD Operation not permitted"
These vulnerabilities were discovered and researched by Oren Isacson
from Core Security Technologies.
7. *Technical Description / Proof of Concept Code*
Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.
While working on an exploit for the vulnerabilities disclosed in the
This vulnerability was discovered and researched by Anibal Sacco from
the CORE IMPACT Exploit Writing Team (EWT) at Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
This vulnerability identified in CUPS is caused by a bad 'ip' structure
initialization in the function 'ippReadIO()', located in 'cups/ipp.c',
when processing a specially crafted IPP (Internet Printing Protocol)
with two consecutives 'IPP_TAG_UNSUPPORTED' tags. This flaw could be
These vulnerabilities were discovered and researched by Federico Muttis,
from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
Multiple cross-site scripting vulnerabilities have been found in
Openfire, which may lead to arbitrary remote code execution on the
server running Openfire server due to unauthorized upload of Java plugin
code.
the fact that it is possible to send a malicious attachment with a
seemingly innocuous file name and extension such and have the Lotus Note
client show a graphic icon for the attachment that corresponds to the
filename extension and not to the actual contents of the file.
Proof of concept snippets
The following snippet of Python code generates a .123 file that triggers
the bug when it is processed by vulnerable versions of the library. The
proof-of-concept file will only trigger an exception for debugging
purposes (int 3) but it makes it evident that exploitation of the bug in
order to execute any arbitrary code is possible.
6.Technical description
6.1.NTLMv1 authentication protocol
6.2.The Flaws
6.3.Detecting if the SMB service generates duplicate 8-byte challenges
6.4.Exploiting duplicate challenges
6.4.1.Proof-of-Concept Exploit
6.5.Predicting challenges
6.5.1.SMB service: challenge generation process
6.5.2.Proof-of-Concept Exploit
7.References
8.Disclaimer
This condition occurs if a TEL URI is activated at the same time
Safari is closed by launching an external application, for example
launching the SMS application (in order to handle a SMS URI [2]). The
SMS application can be launched through placing a SMS URI as the
source of an iframe. This is shown in the first proof-of-concept
exploit below.
Further investigation showed that this behavior can be reproduced by
launching other applications such as: Maps, YouTube, and iTunes.
Launching these applications can be achieved through loading special
>
> This condition occurs if a TEL URI is activated at the same time
> Safari is closed by launching an external application, for example
> launching the SMS application (in order to handle a SMS URI [2]). The
> SMS application can be launched through placing a SMS URI as the
> source of an iframe. This is shown in the first proof-of-concept
> exploit below.
>
> Further investigation showed that this behavior can be reproduced by
> launching other applications such as: Maps, YouTube, and iTunes.
> Launching these applications can be achieved through loading special
>>
>> This condition occurs if a TEL URI is activated at the same time
>> Safari is closed by launching an external application, for example
>> launching the SMS application (in order to handle a SMS URI [2]). The
>> SMS application can be launched through placing a SMS URI as the
>> source of an iframe. This is shown in the first proof-of-concept
>> exploit below.
>>
>> Further investigation showed that this behavior can be reproduced by
>> launching other applications such as: Maps, YouTube, and iTunes.
>> Launching these applications can be achieved through loading special
>>>
>>> This condition occurs if a TEL URI is activated at the same time
>>> Safari is closed by launching an external application, for example
>>> launching the SMS application (in order to handle a SMS URI [2]). The
>>> SMS application can be launched through placing a SMS URI as the
>>> source of an iframe. This is shown in the first proof-of-concept
>>> exploit below.
>>>
>>> Further investigation showed that this behavior can be reproduced by
>>> launching other applications such as: Maps, YouTube, and iTunes.
>>> Launching these applications can be achieved through loading special
SiteX CMS contains third-party scripts from FCKeditor. One of them is:
"includes/fck/editor/filemanager/upload/php/upload.php". This particular
script does not have any checks against user validity and anyone can try
to upload files to SiteX-powered website.
Here is proof-of-concept file for testing:
------------>[proof-of-concept]<-----------
<html>
<body>
<center>
/*
Family Connection <= 1.8.2 - Remote Command Execution
Proof of Concept - Written by Salvatore "drosophila" Fresta
The following software will create a file (rce.php) in the
specified path using Blind SQL Injection bug. To exec remote
commands, you must open the file using a browser.
arbitrary constant count. The player then parses constant values
(strings) from the string table, and continues reading null terminated
strings in the adjacent tag data, eventually reading from memory
adjacent to the Flash movie. References to these values are stored in
a table of constants that can be later accessed using a set of action
records. A proof of concept was developed and presented to the vendor
to demonstrate the threat of read beyond bounds issues to complex file
formats such as the SWF file format.
Finally, other issues were found that suggest the lack of validation
on the contents of the dictionary data structure. Elements in the
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Technologies.
*Technical Description / Proof of Concept Code*
Internet Explorer is the most popular Internet browser in the world as
it is an integrated component of every Windows installation. It
introduces the concept of URL Security Zones, as explained in [2], which
basically define a set of privileges for web applications (such as
This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies.
*Technical Description / Proof of Concept Code*
The WePO ActiveX component has a parameter named "mainurl" that
indicates the local file name or the URL from where to retrieve the
content to print:
Carvalho, from the Core Security Consulting Services (SCS) team of Core
Security Technologies during Bugweek 2007. Additional research was done
by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).
*Technical Description / Proof of Concept Code*
Three vulnerabilities discovered in the iCal application may allow
un-authenticated attackers to execute arbitrary code on vulnerable
systems with (and potentially without) the assistance from the end user
of the application or to repeateadly execute a denial of service attack
Carvalho, from the Core Security Consulting Services (SCS) team of Core
Security Technologies during Bugweek 2007. Additional research was done
by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).
*Technical Description / Proof of Concept Code*
Three vulnerabilities discovered in the iCal application may allow
un-authenticated attackers to execute arbitrary code on vulnerable
systems with (and potentially without) the assistance from the end user
of the application or to repeateadly execute a denial of service attack
Technical Details:
Normal input for the 'LngId' parameter contains a code such as ENG, DEU, JP, denoting the language type. This parameter is not properly validated and the injection of SQL statements within it allows attackers unrestricted access to enumerate information from the database. For example:
https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '' ORDER BY 1;-- &DisableAutoLogin=1
Proof of Concept:
A Proof of Concept (RDdbenum.py) has been developed to automate enumeration of entire database content available from http://www.irmplc.com/Tools/RDdbenum.py
Workaround / Solutions:
There are no known workarounds for this vulnerability
Next Page>>
|
