This archive contains all of the 156 exploits added to Packet Storm in September, 2013.
dfb4ce944f8b9d50311d3c0f4103f34084e4c7841c73cd06b55a1514de0c82ba
freeFTPd 1.0.10 and below contains an overflow condition that is triggered as user-supplied input is not properly validated when handling a specially crafted PASS command. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or allow the execution of arbitrary code. FreeFTPd must have an account set to authorization anonymous user account.
5e92a9db9ba76a96be5d0f1d040af96bc6431037970882d5778b46dcbc012aad
This Metasploit module exploits a use-after-free vulnerability that targets Internet Explorer 9 on Windows 7. The flaw most likely exists in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and passed on to more functions, eventually arriving in function MSHTML!CTreeNode::GetInterface, and causing a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
4b3c1a5b80b3b3378373a9f44d0154cd9d83f40fa16e999f61ede1263be952d6
SimpleRisk version 20130915-01 suffers from cross site request forgery and cross site scripting vulnerabilities.
51760980e60232bc33ac5af0d661e294a83781b8a81c3971d498ecd804efc0b9
Firefox for Android versions prior to 24 suffer from a same-origin bypass vulnerability via symbolic links.
3a942520517c20e308519b9afe21ca2358a820d16f116fa1c7d936f24bb9491b
HylaFAX+ versions 5.2.4 through 5.5.3 suffer from a buffer overflow vulnerability. The code path for authenticating users via LDAP allocates a 255-byte buffer (via the C++ "new" operator), and then "strcats" user-supplied data buffered from the inbound FTP control channel. Other code limits the amount of copied data to 506 bytes, and truncates on NULL and "\n". Thus it is possible for an unauthenticated remote attacker to overflow the heap with a limited character set.
4b209ff117ea49481dfc4cb29356200b0bd379cabdada2b4e329aae67a8b0a2a
Abuse HTTP Server version2 .8 suffers from a remote denial of service vulnerability. Proof of concept python code included.
c9ebbd2dfc059a59e2873bbe5875116708a9ee0a69fb1f47bc708c1acb759ea7
ASUS RT-N66U suffers from a cross site request forgery vulnerability that allows for arbitrary command execution.
192a23a39c98ec854d68908e71b9d02a34e6c5ca74b7a7321c5c5bea414c569b
Byword versions prior to 2.1 allow for a remote file overwrite attack.
31dbff80533d69b46f741347c1aad7f82c471e3bb3fd8097ffceea0cdbad5d0f
Tenda wireless router version W309R allows for configuration enumeration without authentication. A NSE script is included for exploitation along with an advisory.
94fe6763bf250d568485660d4f5d4b2e374665b53c0a879b4e59b3dd8697607d
PHP IDNA Convert version 0.8.0 suffers from a cross site scripting vulnerability.
759740ae1495d2c12f07ef1905ef401162bc13158398bad2e8f666e18e875ab8
Icy Phoenix CMS version 2.0 suffers from a cross site scripting vulnerability.
63eac311bcc5c110f6b257c21931a26987f2af8f67fb1ec266f16bf2996a6339
This Metasploit module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain admin access. From an admin session arbitrary PHP code upload is possible. It is used to add the final PHP payload to "/usr/local/astium/web/php/config.php" and execute the "sudo /sbin/service astcfgd reload" command to reload the configuration and achieve remote root code execution.
16cd8b04690fc28db1b8c5c9afdb81554208e84689604fe813314bc4a6e8d476
mod_accounting version 0.5 suffers from a remote blind SQL injection vulnerability.
5f80d81efab9b887ab6063336f50467c4282d2a92a64c29cbf5563b42ba9f24a
XAMPP version 1.8.1 allows an unprivileged user the ability to write to the local disk.
4d1631d6f469e4eec20739ed04366120ee8ad777df5da5df3840c88f67f32135
The LinkedIn social network suffers from multiple cross site scripting vulnerabilities.
709fdb972cf357cc6700ce7b75aa0fffb8e6a059264e6fa0c034ff32e25fcc21
For node.js applications that parse user-supplied YAML input using the load() function from the 'js-yaml' package versions below 2.0.5, specifying a self-executing function allows us to execute arbitrary javascript code. This Metasploit module demonstrates that behavior.
cc5320d102ad2ea9d6b424995476c2aab54c6ea13234fab7e8cf266af00a87a5
X2CRM version 3.4.1 suffers from cross site scripting and local file inclusion vulnerabilities.
6a4cc66b913f10cf3f46ac6679902a3741e65db273a494ff6f23cbe4728b3b17
This Metasploit module exploits a vulnerability found in ZeroShell 2.0 RC2 and lower. It will leverage an unauthenticated local file inclusion vulnerability in the "/cgi-bin/kerbynet" url. The file retrieved is "/var/register/system/ldap/rootpw". This file contains the admin password in cleartext. The password is used to login as the admin user. After the authentication process is complete it will use the RunScript action to execute the payload with root privileges.
f2193eea137458685913c7447d099d29999247310ec1af67fb445ea5bf5576dc
IBM AIX versions 6.1 and 7.1 local root privilege escalation exploit.
2044d2c0c7004c32aa43899957870c25f1b7d0b6493c5f27d7f0d26e92f87580
Google Chrome version 31.0 suffers from an auditor bypass that allows for cross site scripting attacks to successfully get through.
ba730e1d9e5dba89adb7eb72d4c901489959c46cdbb4688cc1c4ada164dbfbf6
WordPress Miniaudioplayer plugin suffers from a cross site scripting vulnerability. Note that this advisory has site-specific information.
dd8134a154849569a93f038bae0d108d64c84c09b21dab4477b068a0348be4f1
WordPress LBG Zoominoutslider plugin suffers from a cross site scripting vulnerability. Note that this advisory has site-specific information.
44134a7e3bee4ab9d030999ba0179c1860102c9503e9a2eeff937b036916c103
Good for Enterprise iOS application versions 2.2.2.1611 and below suffer from a cross site scripting vulnerability.
9824e01c248eb8f060865f76eace7ae4777a6461f7136f0972ad8ea4dc0eb4c3
WordPress Sharebar plugin version 1.2.5 suffers from a cross site scripting vulnerability. Note that this advisory has site-specific information.
d28550236ec0587220af38f8654ee2cf9fccb27b1a29c80ead8598c11f6482e4