ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
48 lines
No EOL
1.9 KiB
Text
48 lines
No EOL
1.9 KiB
Text
# TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability
|
|
#
|
|
#
|
|
# Vendor: TECO Electric and Machinery Co., Ltd.
|
|
# Product web page: http://www.teco-group.eu
|
|
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
|
|
# Affected version: 1.094
|
|
#
|
|
# Summary: AP-PCLINK is the supportive software for TP03 or AP series, providing
|
|
# three edit modes as LADDER, IL, FBDand SFC, by which programs can be input rapidly
|
|
# and correctly. Every form written into the TP03 or AP series and AP-PCLINK can
|
|
# be monitored in the form of the data.
|
|
#
|
|
# Desc: The vulnerability is caused due to a boundary error in the processing
|
|
# of a project file, which can be exploited to cause a buffer overflow when a
|
|
# user opens e.g. a specially crafted .TPC file. Successful exploitation could
|
|
# allow execution of arbitrary code on the affected machine.
|
|
#
|
|
# ---------------------------------------------------------------------------------
|
|
# Critical error detected c0000374
|
|
# (1950.ff0): Break instruction exception - code 80000003 (first chance)
|
|
# eax=00000000 ebx=00000000 ecx=76f70b42 edx=0018d98d esi=00360000 edi=41414141
|
|
# eip=76fce725 esp=0018dbe0 ebp=0018dc58 iopl=0 nv up ei pl nz na po nc
|
|
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
|
|
# ntdll!RtlpNtEnumerateSubKey+0x1af8:
|
|
# 76fce725 cc int 3
|
|
# ---------------------------------------------------------------------------------
|
|
#
|
|
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
|
|
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
|
|
#
|
|
#
|
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
# @zeroscience
|
|
#
|
|
#
|
|
# Advisory ID: ZSL-2015-5278
|
|
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5278.php
|
|
#
|
|
#
|
|
# 09.10.2015
|
|
#
|
|
|
|
|
|
PoC:
|
|
|
|
- http://zeroscience.mk/codes/aptpc-5278.zip
|
|
- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38703.zip |