Land #8940, @h00die's second round of desc fixes
One ninja edit along the way as well.bug/bundler_fix
Tod Beardsley
commit
5f66b7eb1a
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
|
||||
The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
|
||||
file uploads and handles zip file contents in a insecure way. By combining both weaknesses,
|
||||
file uploads and handles zip file contents in an insecure way. By combining both weaknesses,
|
||||
a remote attacker can accomplish remote code execution. Note that this will only work if the
|
||||
target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection
|
||||
against null byte injection in file names. This module has been tested successfully on version
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Note: You have the option to use the authentication bypass or not since it requires
|
||||
that the server is rebooted. The password reset will render the authentication useless.
|
||||
Typically, if an administrator cant login, they will bounce the box. Therefore, this
|
||||
module performs a heart beat request until the box is bounced and then attempts to login
|
||||
module performs a heartbeat request until the box is bounced and then attempts to login
|
||||
and to perform the command injection. This module has been tested on version 2.6.1062r1
|
||||
of the appliance.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated
|
||||
by the vendor.
|
||||
|
||||
Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it
|
||||
Although the mitigation in place will prevent uptime_file_upload_1.rb from working, it
|
||||
can still be bypassed and gain privilege escalation, and allows the attacker to upload file
|
||||
again, and execute arbitrary commands.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
vTiger CRM allows an authenticated user to upload files to embed within documents.
|
||||
Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP
|
||||
script and execute aribtrary PHP code remotely.
|
||||
script and execute arbitrary PHP code remotely.
|
||||
|
||||
This module was tested against vTiger CRM v5.4.0 and v5.3.0.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
vTiger CRM allows an user to bypass authentication when requesting SOAP services.
|
||||
vTiger CRM allows a user to bypass authentication when requesting SOAP services.
|
||||
In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP
|
||||
service. By combining both vulnerabilities an attacker can upload and execute PHP
|
||||
code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in WebPageTest's Upload Feature. By
|
||||
default, the resultimage.php file does not verify the user-supplied item before
|
||||
saving it to disk, and then places this item in the web directory accessable by
|
||||
saving it to disk, and then places this item in the web directory accessible by
|
||||
remote users. This flaw can be abused to gain remote code execution.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in WikkaWiki. When the spam logging
|
||||
feature is enabled, it is possible to inject PHP code into the spam log file via the
|
||||
UserAgent header , and then request it to execute our payload. There are at least
|
||||
UserAgent header, and then request it to execute our payload. There are at least
|
||||
three different ways to trigger spam protection, this module does so by generating
|
||||
10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a post-auth vulnerability found in X7 Chat versions
|
||||
2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which
|
||||
2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which
|
||||
uses preg_replace() function with the /e modifier. This allows a remote
|
||||
authenticated attacker to execute arbitrary PHP code in the remote machine.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
ZABBIX allows an administrator to create scripts that will be run on hosts.
|
||||
An authenticated attacker can create a script containing a payload, then a host
|
||||
with an IP of 127.0.0.1 and run the abitrary script on the ZABBIX host.
|
||||
with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host.
|
||||
|
||||
This module was tested againt Zabbix v2.0.9.
|
||||
This module was tested against Zabbix v2.0.9.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Novell ZENworks Configuration Management Remote Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a code execution flaw in Novell ZENworks Configuration
|
||||
Management 10 SP3 and 11 SP2. The vulnerability exists in the ZEnworks Control
|
||||
Management 10 SP3 and 11 SP2. The vulnerability exists in the ZENworks Control
|
||||
Center application, allowing an unauthenticated attacker to upload a malicious file
|
||||
outside of the TEMP directory and then make a second request that allows for
|
||||
arbitrary code execution. This module has been tested successfully on Novell
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Zpanel Remote Unauthenticated RCE',
|
||||
'Description' => %q{
|
||||
This module exploits an information disclosure vulnerability
|
||||
in Zpanel. The vulnerability is due to a vulnerable version
|
||||
in ZPanel. The vulnerability is due to a vulnerable version
|
||||
of pChart used by ZPanel that allows unauthenticated users to read
|
||||
arbitrary files remotely on the file system. This particular module
|
||||
utilizes this vulnerability to identify the username/password
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',
|
||||
'Description' => %q{
|
||||
This module abuses the "RunScript" procedure provided by the SOAP interface of
|
||||
Adobe InDesign Server, to execute abritary vbscript (Windows) or applescript(OSX).
|
||||
Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).
|
||||
|
||||
The exploit drops the payload on the server and must be removed manually.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -12,13 +12,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Legend Perl IRC Bot Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a remote command execution on the Legend Perl IRC Bot .
|
||||
This module exploits a remote command execution on the Legend Perl IRC Bot.
|
||||
This bot has been used as a payload in the Shellshock spam last October 2014.
|
||||
This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and
|
||||
UDP flooding, the ability to remove system logs, and ability to gain root, and
|
||||
VNC scanning.
|
||||
|
||||
Kevin Stevens, a Senior Threat Researcher at Damballa has uploaded this script
|
||||
Kevin Stevens, a Senior Threat Researcher at Damballa, has uploaded this script
|
||||
to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.
|
||||
},
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
In order to trigger arbitrary remote code execution, the best way seems to
|
||||
be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or
|
||||
a fileformat that OS X might automount), and then execute it in /Volumes/[share].
|
||||
a file format that OS X might automount), and then execute it in /Volumes/[share].
|
||||
If there's some kind of bug that leaks the victim machine's current username,
|
||||
then it's also possible to execute the payload in /Users/[username]/Downloads/,
|
||||
or else bruteforce your way to getting that information.
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack buffer overflow in the web server provided with the EvoCam
|
||||
program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload
|
||||
from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,
|
||||
3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity.
|
||||
3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
Note: If the user has locked the Date/Time preferences, requests to overwrite
|
||||
the system clock will be ignored, and the module will silently fail. However,
|
||||
if the "Require an administrator password to access locked preferences" setting
|
||||
is not enabled, the Date/Time preferences are often unlocked everytime the admin
|
||||
is not enabled, the Date/Time preferences are often unlocked every time the admin
|
||||
logs in, so you can install persistence and wait for a chance later.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits the argument injection vulnerabilty
|
||||
This module exploits the argument injection vulnerability
|
||||
in the telnet daemon (in.telnetd) of Solaris 10 and 11.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'LifeSize Room Command Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerable resource in LifeSize
|
||||
Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize
|
||||
Room versions 3.5.3 and 4.7.18 to inject OS commands. LifeSize
|
||||
Room is an appliance and thus the environment is limited
|
||||
resulting in a small set of payload options.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
info,
|
||||
'Name' => 'at(1) Persistence',
|
||||
'Description' => %q(
|
||||
This module achieves persisience by executing payloads via at(1).
|
||||
This module achieves persistence by executing payloads via at(1).
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DisclosureDate' => 'Jan 18 2013',
|
||||
'Description' => %q(
|
||||
The login component of the Polycom Command Shell on Polycom HDX
|
||||
video endpints, running software versions 3.0.5 and earlier,
|
||||
video endpoints, running software versions 3.0.5 and earlier,
|
||||
is vulnerable to an authorization bypass when simultaneous
|
||||
connections are made to the service, allowing remote network
|
||||
attackers to gain access to a sandboxed telnet prompt without
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By
|
||||
supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary
|
||||
commands under root priviages.
|
||||
commands under root privileges.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits an arbitrary command execution vulnerability in the
|
||||
AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
|
||||
payloads are recommended with this module. The vulnerability is only
|
||||
present when AllowToUpdateStatsFromBrowser is enabled in the AWstats
|
||||
present when AllowToUpdateStatsFromBrowser is enabled in the AWStats
|
||||
configuration file (non-default).
|
||||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Barracuda IMG.PL Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary command execution vulnerability in the
|
||||
Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.
|
||||
Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.
|
||||
},
|
||||
'Author' => [ 'Nicolas Gregoire <ngregoire[at]exaprobe.com>', 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and
|
||||
possibly prior. Attackers can abuse the upload feature in order to upload a
|
||||
malicious PHP file without authentication, which results in arbitary remote code
|
||||
malicious PHP file without authentication, which results in arbitrary remote code
|
||||
execution.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Joomla Component JCE File Upload Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the JCE component for Joomla!, which
|
||||
This module exploits a vulnerability in the JCE component for Joomla!, which
|
||||
could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
|
||||
fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
|
||||
request, a remote attacker could exploit this vulnerability to upload a malicious PHP
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and
|
||||
possibly prior. Attackers can bypass the file extension check and abuse the upload
|
||||
feature in order to upload a malicious PHP file without authentication, which
|
||||
results in arbitary remote code execution.
|
||||
results in arbitrary remote code execution.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'PhpMyAdmin Config File Code Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in PhpMyAdmin's setup
|
||||
This module exploits a vulnerability in phpMyAdmin's setup
|
||||
feature which allows an attacker to inject arbitrary PHP
|
||||
code into a configuration file. The original advisory says
|
||||
the vulnerability is present in phpMyAdmin versions 2.11.x
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a PHP code injection in SPIP. The vulnerability exists in the
|
||||
connect parameter and allows an unauthenticated user to execute arbitrary commands
|
||||
with web user privileges. Branchs 2.0, 2.1 and 3 are concerned. Vulnerable versions
|
||||
with web user privileges. Branches 2.0, 2.1 and 3 are concerned. Vulnerable versions
|
||||
are <2.0.21, <2.1.16 and < 3.0.3, but this module works only against branch 2.0 and
|
||||
has been tested successfully with SPIP 2.0.11 and SPIP 2.0.20 with Apache on Ubuntu
|
||||
and Fedora linux distributions.
|
||||
|
|
|
|||
|
|
@ -17,8 +17,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
which could be abused to allow unauthenticated users to execute arbitrary code
|
||||
under the context of the web server user.
|
||||
|
||||
The issue comes with one of the 3rd party components. Name of that components is
|
||||
ELFinder -version 2.0-. This components comes with default example page which
|
||||
The issue comes with one of the 3rd party components. Name of that component is
|
||||
ELFinder -version 2.0-. This component comes with default example page which
|
||||
demonstrates file operations such as upload, remove, rename, create directory etc.
|
||||
Default configuration does not force validations such as file extension, content-type etc.
|
||||
Thus, unauthenticated user can upload PHP file.
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Tuleap PHP Unserialize Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be
|
||||
This module exploits a PHP object injection vulnerability in Tuleap <= 7.6-4 which could be
|
||||
abused to allow authenticated users to execute arbitrary code with the permissions of the
|
||||
web server. The dangerous unserialize() call exists in the 'src/www/project/register.php'
|
||||
file. The exploit abuses the destructor method from the Jabbex class in order to reach a
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also,
|
||||
if the 'TwikiPage' option isn't provided, the module will try to create a random
|
||||
page on the SandBox space. The modules has been tested successfully on
|
||||
page on the SandBox space. The module has been tested successfully on
|
||||
TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.
|
||||
},
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
be used to bypass the session check as long as at least one session has been
|
||||
created at some point in time. In case there isn't any valid session, the user can
|
||||
provide astGUIcient credentials in order to create one. The results of the injected
|
||||
command are returned as part of the response from the web server. Affected versions
|
||||
commands are returned as part of the response from the web server. Affected versions
|
||||
include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well. The
|
||||
default credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits an arbitrary command execution vulnerability in Webmin
|
||||
1.580. The vulnerability exists in the /file/show.cgi component and allows an
|
||||
authenticated user, with access to the File Manager Module, to execute arbitrary
|
||||
commands with root privileges. The module has been tested successfully with Webim
|
||||
commands with root privileges. The module has been tested successfully with Webmin
|
||||
1.580 over Ubuntu 10.04.
|
||||
},
|
||||
'Author' => [
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
blogging software plugin known as Google Document Embedder. The vulnerability allows for
|
||||
database credential disclosure via the /libs/pdf.php script. The Google Document Embedder
|
||||
plug-in versions 2.4.6 and below are vulnerable. This exploit only works when the MySQL
|
||||
server is exposed on a accessible IP and Wordpress has filesystem write access.
|
||||
server is exposed on an accessible IP and WordPress has filesystem write access.
|
||||
|
||||
Please note: The admin password may get changed if the exploit does not run to the end.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'WordPress OptimizePress Theme File Upload Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in the the WordPress theme OptimizePress. The
|
||||
This module exploits a vulnerability found in the WordPress theme OptimizePress. The
|
||||
vulnerability is due to an insecure file upload on the media-upload.php component, allowing
|
||||
an attacker to upload arbitrary PHP code. This module has been tested successfully on
|
||||
OptimizePress 1.45.
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
The WordPress Theme "platform" contains a remote code execution vulnerability
|
||||
through an unchecked admin_init call. The theme includes the uploaded file
|
||||
from it's temp filename with php's include function.
|
||||
from its temp filename with php's include function.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
|||
|
|
@ -12,14 +12,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def initialize(info = {})
|
||||
super(update_info(
|
||||
info,
|
||||
'Name' => 'Wordpress WPTouch Authenticated File Upload',
|
||||
'Name' => 'WordPress WPTouch Authenticated File Upload',
|
||||
'Description' => %q{
|
||||
The Wordpress WPTouch plugin contains an auhtenticated file upload
|
||||
The WordPress WPTouch plugin contains an authenticated file upload
|
||||
vulnerability. A wp-nonce (CSRF token) is created on the backend index
|
||||
page and the same token is used on handling ajax file uploads through
|
||||
the plugin. By sending the captured nonce with the upload, we can
|
||||
upload arbitrary files to the upload folder. Because the plugin also
|
||||
uses it's own file upload mechanism instead of the wordpress api it's
|
||||
uses its own file upload mechanism instead of the WordPress api it's
|
||||
possible to upload any file type.
|
||||
The user provided does not need special rights, and users with "Contributor"
|
||||
role can be abused.
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a vulnerability found in ZPanel's htpasswd module. When
|
||||
creating .htaccess using the htpasswd module, the username field can be used to
|
||||
inject system commands, which is passed on to a system() function for executing
|
||||
the system's htpasswd's command.
|
||||
the system's htpasswd command.
|
||||
|
||||
Please note: In order to use this module, you must have a valid account to login
|
||||
to ZPanel. An account part of any of the default groups should suffice, such as:
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'CA BrightStor ArcServe Media Service Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA
|
||||
BrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker
|
||||
BrightStor ARCserve. By sending a specially crafted SUNRPC request, an attacker
|
||||
can overflow a stack buffer and execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'toto' ],
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in the ActiveX component of Adobe
|
||||
Flash Player before 11.5.502.149. By supplying a specially crafted swf file
|
||||
with special regex value, it is possible to trigger an memory corruption, which
|
||||
with special regex value, it is possible to trigger a memory corruption, which
|
||||
results in remote code execution under the context of the user, as exploited in
|
||||
the wild in February 2013. This module has been tested successfully with Adobe
|
||||
Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory',
|
||||
'Description' => %q{
|
||||
This module exploits an unintialized memory vulnerability in Adobe Flash Player. The
|
||||
This module exploits an uninitialized memory vulnerability in Adobe Flash Player. The
|
||||
vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails
|
||||
to initialize allocated memory. When using a correct memory layout this vulnerability
|
||||
leads to a ByteArray object corruption, which can be abused to access and corrupt memory.
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
NOTE: This module uses a similar DEP bypass method to that used within the
|
||||
adobe_libtiff module. This method is unlikely to work across various
|
||||
Windows versions due a the hardcoded syscall number.
|
||||
Windows versions due a hardcoded syscall number.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a flaw in the handling of AOL Instant
|
||||
Messenger's 'goaway' URI handler. An attacker can execute
|
||||
arbitrary code by supplying a overly sized buffer as the
|
||||
arbitrary code by supplying an overly sized buffer as the
|
||||
'message' parameter. This issue is known to affect AOL Instant
|
||||
Messenger 5.5.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.
|
||||
An attacker may be able to excute arbitrary code by sending an overly
|
||||
An attacker may be able to execute arbitrary code by sending an overly
|
||||
long string to the "ShortFormat()" method in askbar.dll.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX
|
||||
control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing
|
||||
control. Versions of mps.dll including 3.9.4.27 and lower are affected. When passing
|
||||
an overly long string to the method "OnBeforeVideoDownload" an attacker can execute
|
||||
arbitrary code.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module allows remote attackers to place arbitrary files on a users file system
|
||||
by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX
|
||||
Control (BIImgFrm.ocx 12.0.0.0). Code exeuction can be acheived by first uploading the
|
||||
Control (BIImgFrm.ocx 12.0.0.0). Code execution can be achieved by first uploading the
|
||||
payload to the remote machine, and then upload another mof file, which enables Windows
|
||||
Management Instrumentation service to execute the binary. Please note that this module
|
||||
currently only works for Windows before Vista. Also, a similar issue is reported in
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll
|
||||
ActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly
|
||||
ActiveX Control provided by CommuniCrypt Mail 1.16. By sending an overly
|
||||
long string to the "AddAttachments()" method, an attacker may be able to
|
||||
execute arbitrary code.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl
|
||||
ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long
|
||||
ActiveX Control (NPSnpy.dll 1.1.0.36. When sending an overly long
|
||||
string to the CheckRequirements() method, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -13,11 +13,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "Honeywell Tema Remote Installer ActiveX Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This modules exploits a vulnerability found in the Honewell Tema ActiveX Remote
|
||||
This module exploits a vulnerability found in the Honeywell Tema ActiveX Remote
|
||||
Installer. This ActiveX control can be abused by using the DownloadFromURL()
|
||||
function to install an arbitrary MSI from a remote location without checking source
|
||||
authenticity or user notification. This module has been tested successfully with
|
||||
the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0 and
|
||||
the Remote Installer ActiveX installed with Honeywell EBI R410.1 - TEMA 5.3.0 and
|
||||
Internet Explorer 6, 7 and 8 on Windows XP SP3.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -30,8 +30,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
The vulnerability is found in the "RunAndUploadFile" method
|
||||
where the "OtherFields" parameter with user controlled data
|
||||
is used to build a "Content-Dispoition" header and attach
|
||||
contents in a insecure way which allows to overflow a buffer
|
||||
is used to build a "Content-Disposition" header and attach
|
||||
contents in an insecure way which allows to overflow a buffer
|
||||
in the stack.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control',
|
||||
'Description' => %q{
|
||||
This module exploits a stack based buffer overflow in the Active control file
|
||||
ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles()
|
||||
ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles()
|
||||
method. Exploitation results in code execution with the privileges of the user who
|
||||
browsed to the exploit page.
|
||||
|
||||
|
|
|
|||
|
|
@ -27,9 +27,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00
|
||||
SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long
|
||||
SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long
|
||||
string argument for the InternationalSeparator() method of the ISSymbol control.
|
||||
This modules uses the msvcr71.dll form the Java JRE6 to bypass ASLR.
|
||||
This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer',
|
||||
'Description' => %q{
|
||||
This module exploits an uninitialized variable vulnerability in the
|
||||
Annotation Objects ActiveX component. The activeX component loads into memory without
|
||||
Annotation Objects ActiveX component. The ActiveX component loads into memory without
|
||||
opting into ALSR so this module exploits the vulnerability against windows Vista and
|
||||
Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
|
||||
points to part of the ROP chain in a heap chunk and the calculated call will hit the
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Sun Java Web Start Double Quote Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a flaw in the Web Start component of the Sun Java
|
||||
Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP
|
||||
Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP
|
||||
file can contain a double quote which is not properly sanitized when creating
|
||||
the command line for javaw.exe. This allows the injection of the -XXaltjvm
|
||||
option to load a jvm.dll from a remote UNC path into the java process. Thus
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
allows an attacker to execute arbitrary code in the context of an unsuspecting
|
||||
browser user.
|
||||
|
||||
In order for this module to work, it must be ran as root on a server that
|
||||
In order for this module to work, it must be run as root on a server that
|
||||
does not serve SMB. Additionally, the target host must have the WebClient
|
||||
service (WebDAV Mini-Redirector) enabled.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX
|
||||
Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.
|
||||
By sending a overly long string to the "Install()" method, an attacker may be
|
||||
By sending an overly long string to the "Install()" method, an attacker may be
|
||||
able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Logitech VideoCall ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX
|
||||
Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the
|
||||
Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the
|
||||
"Start()" method, an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Macrovision InstallShield Update Service ActiveX Unsafe Method',
|
||||
'Description' => %q{
|
||||
This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008.
|
||||
This module allows attackers to execute code via an unsafe method in Macrovision InstallShield 2008.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'MC' ],
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability",
|
||||
'Description' => %q{
|
||||
This modules exploits a vulnerability found in McAfee Virtual Technician's
|
||||
This module exploits a vulnerability found in McAfee Virtual Technician's
|
||||
MVTControl. This ActiveX control can be abused by using the GetObject() function
|
||||
to load additional unsafe classes such as WScript.Shell, therefore allowing remote
|
||||
code execution under the context of the user.
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'McAfee Visual Trace ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX
|
||||
Control (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the
|
||||
Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the
|
||||
"TraceTarget()" method, an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found on Firefox 17.0.6, specifically an use
|
||||
after free of a DocumentViewerImpl object, triggered via an specially crafted web
|
||||
This module exploits a vulnerability found on Firefox 17.0.6, specifically a use
|
||||
after free of a DocumentViewerImpl object, triggered via a specially crafted web
|
||||
page using onreadystatechange events and the window.stop() API, as exploited in the
|
||||
wild on 2013 August to target Tor Browser users.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an use after free vulnerability in Mozilla
|
||||
This module exploits a use after free vulnerability in Mozilla
|
||||
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
|
||||
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
|
||||
becomes a dangling pointer and can be reused when setting the OBJECTs
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Mozilla Firefox 3.6. When an
|
||||
array object is configured with a large length value, the reduceRight() method
|
||||
may cause an invalid index being used, allowing abitrary remote code execution.
|
||||
may cause an invalid index being used, allowing arbitrary remote code execution.
|
||||
Please note that the exploit requires a longer amount of time (compare to a
|
||||
typical browser exploit) in order to gain control of the machine.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'MS06-013 Microsoft Internet Explorer createTextRange() Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a code execution vulnerability in Microsoft Internet Explorer.
|
||||
Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under
|
||||
Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under
|
||||
certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point
|
||||
to a very remote, non-existent memory location. This module is the result of merging three
|
||||
different exploit submissions and has only been reliably tested against Windows XP SP2.
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling',
|
||||
'Description' => %q{
|
||||
This module exploits a code execution vulnerability in Microsoft XML Core Services which
|
||||
exists in the XMLHTTP ActiveX control. This module is the modifed version of
|
||||
exists in the XMLHTTP ActiveX control. This module is the modified version of
|
||||
http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully
|
||||
tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6
|
||||
+ Microsoft XML Core Services 4.0 SP2.
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a code execution vulnerability that occurs when a user
|
||||
presses F1 on MessageBox originated from VBscript within a web page. When the
|
||||
user hits F1, the MessageBox help functionaility will attempt to load and use
|
||||
user hits F1, the MessageBox help functionality will attempt to load and use
|
||||
a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.
|
||||
|
||||
This particular version of the exploit implements a WebDAV server that will
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overlow in l3codecx.ax while processing a
|
||||
This module exploits a buffer overflow in l3codecx.ax while processing a
|
||||
AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite
|
||||
with 0's so the three least significant bytes of EIP saved on stack are
|
||||
overwritten and shellcode is mapped using the .NET DLL memory technique pioneered
|
||||
|
|
|
|||
|
|
@ -22,12 +22,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption',
|
||||
'Description' => %q{
|
||||
Thie module exploits a memory corruption vulnerability within Microsoft's
|
||||
This module exploits a memory corruption vulnerability within Microsoft's
|
||||
HTML engine (mshtml). When parsing an HTML page containing a specially
|
||||
crafted CSS tag, memory corruption occurs that can lead arbitrary code
|
||||
execution.
|
||||
|
||||
It seems like Microsoft code inadvertantly increments a vtable pointer to
|
||||
It seems like Microsoft code inadvertently increments a vtable pointer to
|
||||
point to an unaligned address within the vtable's function pointers. This
|
||||
leads to the program counter being set to the address determined by the
|
||||
address "[vtable+0x30+1]". The particular address depends on the exact
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child
|
||||
of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger
|
||||
"onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer
|
||||
object can be forced by using an "Unslect" (other approaches also apply), but a reference
|
||||
object can be forced by using an "Unselect" (other approaches also apply), but a reference
|
||||
of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after
|
||||
the CDoc::GetLineInfo call, because it is still trying to use that to update
|
||||
CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX
|
||||
Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004.
|
||||
By sending a overly long string to the "Get()" method, an attacker may be
|
||||
By sending an overly long string to the "Get()" method, an attacker may be
|
||||
able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "IBM Lotus Notes Client URL Handler Command Injection",
|
||||
'Description' => %q{
|
||||
This modules exploits a command injection vulnerability in the URL handler for
|
||||
This module exploits a command injection vulnerability in the URL handler for
|
||||
for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with
|
||||
an specially crafted notes:// URL to execute arbitrary commands with also arbitrary
|
||||
a specially crafted notes:// URL to execute arbitrary commands with also arbitrary
|
||||
arguments. This module has been tested successfully on Windows XP SP3 with IE8,
|
||||
Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).
|
||||
Oracle Document Capture 10g comes bundled with a third party ActiveX control
|
||||
emsmtp.dll (6.0.1.0). When passing a overly long string to the method "SubmitToExpress"
|
||||
emsmtp.dll (6.0.1.0). When passing an overly long string to the method "SubmitToExpress"
|
||||
an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This modules exploits a vulnerability found in the Oracle WebCenter Content
|
||||
This module exploits a vulnerability found in the Oracle WebCenter Content
|
||||
CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where
|
||||
user controlled input is used to call ShellExecuteExW(). This module abuses the
|
||||
control to execute an arbitrary HTA from a remote location. This module has been
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Orbit Downloader Connecting Log Creation Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an
|
||||
attacker serves up a malicious web site, abritrary code may be executed.
|
||||
attacker serves up a malicious web site, arbitrary code may be executed.
|
||||
The PAYLOAD windows/shell_bind_tcp works best.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in Real Networks Acrade Game's ActiveX control. The "exec"
|
||||
This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The "exec"
|
||||
function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands
|
||||
on the victim machine.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'RealNetworks RealPlayer CDDA URI Initialization Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a initialization flaw within RealPlayer 11/11.1 and
|
||||
This module exploits an initialization flaw within RealPlayer 11/11.1 and
|
||||
RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object
|
||||
initialization failure. However, this failure is improperly handled and
|
||||
uninitialized memory executed.
|
||||
|
|
|
|||
Loading…
Reference in New Issue