Next Page >>
buffer
return ( 1 );
}
void find_leaked_memory ( void )
{
char buffer [ 0x1000 ];
char *base;
int r, w;
/* search the high address memory area */
for ( base = ( char * ) 0x80000000 ; base < ( char * )
2. *Vulnerability Information*
Class: Heap-based Buffer Overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 37980
CVE Name: N/A
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Authorization bypass, Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34035
CVE Name: CVE-2009-0836, CVE-2009-0837
First of all, to make a polymorphic code we have to be sure we have all the
requirements to achieve the concept that a polymorphic code must be
unpredictable, and it means random. I choose the MS02-039[1], because I have
all the requirements for this proof of concept:
1. Microsoft Windows Buffer Overflow[2];
2. Buffer to overflow is not too big;
3. More than just one Return Address[3];
4. Incredible high number of writable addresses only in
SQLSORT.DLL[4].
phion Security Advisory 21/10/2008
Microsoft VISTA TCP/IP stack buffer overflow
Summary
-----------------------------
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Affected Systems
-----------------------------
# Exploit Title: Triologic Media Player 8 (.m3u) Local Universal Unicode Buffer Overflow [SEH]
# Date: August 17, 2010
# Author: Glafkos Charalambous (glafkos[@]astalavista[dot]com)
# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html
# Version: 8
# Tested on: Windows XP SP3 En
# Thanks: muts, ishtus
# Greetz: Astalavista, OffSEC, Exploit-DB
buffer = "\x41" * 536 # buffer
Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities
iDefense Security Advisory 08.21.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 21, 2007
I. BACKGROUND
Trend Micro Inc.'s ServerProtect is an anti-virus software for Microsoft
Windows and Novell NetWare servers. It enables network administrators to
string of keyboard mappings is loaded, using the ``execute'' command,
with no sanitization of the ``b:netrw_curdir'' variable, which holds the
current directory name. In function s:BrowserMaps():
1709 if s:didstarstar || !mapcheck("<s-up>","n")
1710 nnoremap <buffer> <silent> <s-up> :Pexplore<cr>
1711 endif
1712 if g:netrw_mousemaps == 1
1713 nnoremap <buffer> <silent> <leftmouse>
<leftmouse>:call <SID>NetrwLeftmouse(1)<cr>
1714 nnoremap <buffer> <silent> <middlemouse>
Drivers SABProcEnum.sys/SASENUM.sys define two IOCTL codes for the
device control.
Both control codes are used for an object name retrieval, through
ZwQueryObject() method or
ObReferenceObjectByHandle()/ObQueryNameString() methods. Input buffers
for both IRP packets include user mode pointers which are completely
user-controllable. However, no checks regarding NULL pointers, invalid
input buffer length, or otherwise invalid pointers are made - user can
pass NULL input buffer and thus cause a BSOD.
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
HP OpenView Buffer Overflows
1. *Advisory Information*
Title: HP OpenView Buffer Overflows
Title:
======
Format Factory v2.95 - Buffer Overflow Vulnerabilities
Date:
=====
2012-05-02
Title:
======
Format Factory v2.95 - Buffer Overflow Vulnerabilities + VD
Date:
=====
2012-05-02
III. Detailed Description
A. Stack-based Buffer Overflow (CVE-2009-0839)
Severity: Medium/High
A buffer overflow that could allow for the execution of arbitrary
code exists in the "mapserv" CGI program. In mapserv.c are the
following lines of code:
http://www.doomsdayhq.com
http://www.dengine.net
http://sourceforge.net/projects/deng/
Versions: <= 1.9.0-beta5.1 and current SVN
Platforms: Windows, Linux and Mac
Bugs: A] D_NetPlayerEvent global buffer-overflow using PKT_CHAT
B] Msg_Write global buffer-overflow through PKT_CHAT
C] undelimited strcpy in PKT_CHAT
D] integer overflow in PKT_CHAT
E] static buffer-overflow in NetSv_ReadCommands
F] client format string through PSV_CONSOLE_TEXT
=======
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the
following vulnerabilities:
* Transparent Firewall Packet Buffer Exhaustion Vulnerability
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* Routing Information Protocol (RIP) Denial of Service
Vulnerability
* Unauthorized File System Access Vulnerability
Title: Gnome terminal, xfce4-terminal, terminator and other libVTE based
terminals write scrollback buffer data to /tmp filesystem
Report date: 2011-03-06
Reported by: Mark Krenz
Severity: High depending on use and expectations
[*] Version : 1.0
[*] Vendor : George Fesalides
[*] URL : http://sourceforge.net/projects/somplmp3/files/
[*] URL2 : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html
[*] Platform : Windows
[*] Type of vulnerability : Buffer Overflow
[*] Risk rating : Medium
[*] Issue fixed in version : ???
[*] Vulnerability discovered by : Rick2600
[*] Greetings to : corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r
@@ -60,10 +60,23 @@ struct encoder_baton {
apr_pool_t *pool;
};
+/* This is at least as big as the largest size of an integer that
+ encode_int can generate; it is sufficient for creating buffers for
+ it to write into. This assumes that integers are at most 64 bits,
+ and so 10 bytes (with 7 bits of information each) are sufficient to
+ represent them. */
+#define MAX_ENCODED_INT_LEN 10
+/* This is at least as big as the largest size for a single instruction. */
1. *Advisory Information*
Title: Amaya web editor XML and HTML parser vulnerabilities
Advisory ID: CORE-2008-1211
Advisory URL: http://www.coresecurity.com/content/amaya-buffer-overflows
Date published: 2009-01-28
Date of last update: 2009-01-26
Vendors contacted: INRIA
Release mode: Coordinated release
======================================================================
Secunia Research 25/08/2008
- Novell iPrint Client ActiveX Control Multiple Buffer Overflows -
======================================================================
Table of Contents
Affected Software....................................................1
Abstract
------------------------------------------------------------------------
An integer overflow vulnerability has been discovered in the
EncoderParameter class of the .NET Framework. Exploiting this
vulnerability results in an overflown integer that is used to allocate a
buffer on the heap. After the incorrect allocation, one or more
user-supplied buffers are copied in the new buffer, resulting in a
corruption of the heap.
By exploiting this vulnerability, it is possible for an application
running with Partial Trust permissions to to break from the CLR sandbox
n.runs-SA-2009.001 15-May-2009
________________________________________________________________________
Vendor: Apple Inc., http://www.apple.com
Affected Products: Mac OS X 10.5.6
Vulnerability: Heap-based buffer overflow in CFNetwork component
(remote)
Risk: HIGH
________________________________________________________________________
Vendor communication:
-----------------------------------------------------------------
ClamAV get_unicode_name() off-by-one buffer overflow
Copyright (c) 2008 Moritz Jodeit <moritz@jodeit.org> (2008/11/08)
-----------------------------------------------------------------
Application details:
From http://www.clamav.net/:
Hash: SHA1
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/
~ Anzio Web Print Object Buffer Overflow
*Advisory Information*
Title: Anzio Web Print Object Buffer Overflow
Title:
======
AnvSoft Any Video Converter 4.3.6 - Multiple Buffer Overflow Vulnerabilities
Date:
=====
2012-04-08
1. *Advisory Information*
Title: Novell iManager Multiple Vulnerabilities
Advisory Id: CORE-2010-0316
Advisory URL:
[http://www.coresecurity.com/content/novell-imanager-buffer-overflow-off-by-one-vulnerabilities]
Date published: 2010-06-23
Date of last update: 2010-06-23
Vendors contacted: Novell
Release mode: User release
------------------------------------------------------------------------
yTNEF/Evolution TNEF Attachment decoder plugin directory traversal &
buffer overflow vulnerabilities
------------------------------------------------------------------------
Yorick Koster, June 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
NASA BigView Stack Buffer Overflow
*Advisory Information*
Title: NASA BigView Stack Buffer Overflow
Asterisk Project Security Advisory - AST-2007-022
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Buffer overflows in voicemail when using IMAP |
| | storage |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Remotely and locally exploitable buffer overflows |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
Hash: SHA1
Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs
Stack-based buffer overflow vulnerability in OpenBSD’s DHCP server
*Advisory Information*
Title: Stack-based buffer overflow vulnerability in OpenBSD’s DHCP server
Next Page>>
|
