bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/17930.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

107 lines
No EOL
2.8 KiB
Text
Raw Blame History

#######################################################################
Luigi Auriemma
Application: Cytel Studio: StatXact / LogXact / CrossOver
http://www.cytel.com/Software/LogXact.aspx
http://www.cytel.com/Software/StatXact.aspx
http://www.cytel.com/Software/Crossover.aspx
Versions: <= 9.0.0
Platforms: Windows
Bugs: A] strings stack overflow
B] rows integer overflow
C] CYB USE stack overflow
Exploitation: file
Date: 02 Oct 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"Cytel, the acknowledged leader in exact statistical methods, helped
pioneer exact methods for binary logistic regression and multinomial
regression."
"First introduced in 1987, LogXact is unequivocally the fastest and
most powerful logistic regression analysis software available today."
"With StatXact, Cytel's own powerful algorithms make exact inferences
by permuting the actually observed data, eliminating the need for
distributional assumptions."
#######################################################################
=======
2) Bugs
=======
-------------------------
A] strings stack overflow
-------------------------
Buffer overflow during the copying of the strings in a stack buffer
of 256 bytes.
------------------------
B] rows integer overflow
------------------------
There is an integer overflow in the handling of the rows.
The number of rows (first element of the second line in the file) is
multiplied by the size of the elements (8 for floats, 4 for strings
and so on) and the allocated memory gets overflowed when the elements
are copied one by one.
At the moment I have not seen ways to exploit this vulnerability to
execute code so I report it just as reference.
Both the A and B problems are exploitable with the CY3 ("StatXact 5.0
data") and the CYL ("LogXact data") files.
-------------------------
C] CYB USE stack overflow
-------------------------
Stack overflow in the handling of the USE command of the CYB files.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/cytel_1.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17930.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink