infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #8940, @h00die's second round of desc fixes 

One ninja edit along the way as well.
bug/bundler_fix
Tod Beardsley 2017-09-11 13:05:13 -05:00
parent fc52ef9941 cfbd3c1615
commit 5f66b7eb1a
No known key found for this signature in database
GPG Key ID: 08B5B91DC85943FE
76 changed files with 87 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
View File

@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
file uploads and handles zip file contents in a insecure way. By combining both weaknesses, file uploads and handles zip file contents in an insecure way. By combining both weaknesses,
a remote attacker can accomplish remote code execution. Note that this will only work if the a remote attacker can accomplish remote code execution. Note that this will only work if the
target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection
against null byte injection in file names. This module has been tested successfully on version against null byte injection in file names. This module has been tested successfully on version

2
modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb
View File

@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
Note: You have the option to use the authentication bypass or not since it requires Note: You have the option to use the authentication bypass or not since it requires
that the server is rebooted. The password reset will render the authentication useless. that the server is rebooted. The password reset will render the authentication useless.
Typically, if an administrator cant login, they will bounce the box. Therefore, this Typically, if an administrator cant login, they will bounce the box. Therefore, this
module performs a heart beat request until the box is bounced and then attempts to login module performs a heartbeat request until the box is bounced and then attempts to login
and to perform the command injection. This module has been tested on version 2.6.1062r1 and to perform the command injection. This module has been tested on version 2.6.1062r1
of the appliance. of the appliance.
}, },

2
modules/exploits/multi/http/uptime_file_upload_2.rb
View File

@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated
by the vendor. by the vendor.
Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it Although the mitigation in place will prevent uptime_file_upload_1.rb from working, it
can still be bypassed and gain privilege escalation, and allows the attacker to upload file can still be bypassed and gain privilege escalation, and allows the attacker to upload file
again, and execute arbitrary commands. again, and execute arbitrary commands.
}, },

2
modules/exploits/multi/http/vtiger_php_exec.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
vTiger CRM allows an authenticated user to upload files to embed within documents. vTiger CRM allows an authenticated user to upload files to embed within documents.
Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP
script and execute aribtrary PHP code remotely. script and execute arbitrary PHP code remotely.
This module was tested against vTiger CRM v5.4.0 and v5.3.0. This module was tested against vTiger CRM v5.4.0 and v5.3.0.
}, },

2
modules/exploits/multi/http/vtiger_soap_upload.rb
View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload', 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload',
'Description' => %q{ 'Description' => %q{
vTiger CRM allows an user to bypass authentication when requesting SOAP services. vTiger CRM allows a user to bypass authentication when requesting SOAP services.
In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP
service. By combining both vulnerabilities an attacker can upload and execute PHP service. By combining both vulnerabilities an attacker can upload and execute PHP
code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu

2
modules/exploits/multi/http/webpagetest_upload_exec.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability found in WebPageTest's Upload Feature. By This module exploits a vulnerability found in WebPageTest's Upload Feature. By
default, the resultimage.php file does not verify the user-supplied item before default, the resultimage.php file does not verify the user-supplied item before
saving it to disk, and then places this item in the web directory accessable by saving it to disk, and then places this item in the web directory accessible by
remote users. This flaw can be abused to gain remote code execution. remote users. This flaw can be abused to gain remote code execution.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/multi/http/wikka_spam_exec.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability found in WikkaWiki. When the spam logging This module exploits a vulnerability found in WikkaWiki. When the spam logging
feature is enabled, it is possible to inject PHP code into the spam log file via the feature is enabled, it is possible to inject PHP code into the spam log file via the
UserAgent header , and then request it to execute our payload. There are at least UserAgent header, and then request it to execute our payload. There are at least
three different ways to trigger spam protection, this module does so by generating three different ways to trigger spam protection, this module does so by generating
10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6). 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).

2
modules/exploits/multi/http/x7chat2_php_exec.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution', 'Name' => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a post-auth vulnerability found in X7 Chat versions This module exploits a post-auth vulnerability found in X7 Chat versions
2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which 2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which
uses preg_replace() function with the /e modifier. This allows a remote uses preg_replace() function with the /e modifier. This allows a remote
authenticated attacker to execute arbitrary PHP code in the remote machine. authenticated attacker to execute arbitrary PHP code in the remote machine.
}, },

4
modules/exploits/multi/http/zabbix_script_exec.rb
View File

@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
ZABBIX allows an administrator to create scripts that will be run on hosts. ZABBIX allows an administrator to create scripts that will be run on hosts.
An authenticated attacker can create a script containing a payload, then a host An authenticated attacker can create a script containing a payload, then a host
with an IP of 127.0.0.1 and run the abitrary script on the ZABBIX host. with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host.
This module was tested againt Zabbix v2.0.9. This module was tested against Zabbix v2.0.9.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>

2
modules/exploits/multi/http/zenworks_control_center_upload.rb
View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Novell ZENworks Configuration Management Remote Execution', 'Name' => 'Novell ZENworks Configuration Management Remote Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a code execution flaw in Novell ZENworks Configuration This module exploits a code execution flaw in Novell ZENworks Configuration
Management 10 SP3 and 11 SP2. The vulnerability exists in the ZEnworks Control Management 10 SP3 and 11 SP2. The vulnerability exists in the ZENworks Control
Center application, allowing an unauthenticated attacker to upload a malicious file Center application, allowing an unauthenticated attacker to upload a malicious file
outside of the TEMP directory and then make a second request that allows for outside of the TEMP directory and then make a second request that allows for
arbitrary code execution. This module has been tested successfully on Novell arbitrary code execution. This module has been tested successfully on Novell

2
modules/exploits/multi/http/zpanel_information_disclosure_rce.rb
View File

@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Zpanel Remote Unauthenticated RCE', 'Name' => 'Zpanel Remote Unauthenticated RCE',
'Description' => %q{ 'Description' => %q{
This module exploits an information disclosure vulnerability This module exploits an information disclosure vulnerability
in Zpanel. The vulnerability is due to a vulnerable version in ZPanel. The vulnerability is due to a vulnerable version
of pChart used by ZPanel that allows unauthenticated users to read of pChart used by ZPanel that allows unauthenticated users to read
arbitrary files remotely on the file system. This particular module arbitrary files remotely on the file system. This particular module
utilizes this vulnerability to identify the username/password utilizes this vulnerability to identify the username/password

2
modules/exploits/multi/misc/indesign_server_soap.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution', 'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution',
'Description' => %q{ 'Description' => %q{
This module abuses the "RunScript" procedure provided by the SOAP interface of This module abuses the "RunScript" procedure provided by the SOAP interface of
Adobe InDesign Server, to execute abritary vbscript (Windows) or applescript(OSX). Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).
The exploit drops the payload on the server and must be removed manually. The exploit drops the payload on the server and must be removed manually.
}, },

4
modules/exploits/multi/misc/legend_bot_exec.rb
View File

@ -12,13 +12,13 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Legend Perl IRC Bot Remote Code Execution', 'Name' => 'Legend Perl IRC Bot Remote Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a remote command execution on the Legend Perl IRC Bot . This module exploits a remote command execution on the Legend Perl IRC Bot.
This bot has been used as a payload in the Shellshock spam last October 2014. This bot has been used as a payload in the Shellshock spam last October 2014.
This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and
UDP flooding, the ability to remove system logs, and ability to gain root, and UDP flooding, the ability to remove system logs, and ability to gain root, and
VNC scanning. VNC scanning.
Kevin Stevens, a Senior Threat Researcher at Damballa has uploaded this script Kevin Stevens, a Senior Threat Researcher at Damballa, has uploaded this script
to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76. to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.
}, },
'Author' => 'Author' =>

2
modules/exploits/osx/browser/safari_file_policy.rb
View File

@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote
In order to trigger arbitrary remote code execution, the best way seems to In order to trigger arbitrary remote code execution, the best way seems to
be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or
a fileformat that OS X might automount), and then execute it in /Volumes/[share]. a file format that OS X might automount), and then execute it in /Volumes/[share].
If there's some kind of bug that leaks the victim machine's current username, If there's some kind of bug that leaks the victim machine's current username,
then it's also possible to execute the payload in /Users/[username]/Downloads/, then it's also possible to execute the payload in /Users/[username]/Downloads/,
or else bruteforce your way to getting that information. or else bruteforce your way to getting that information.

2
modules/exploits/osx/http/evocam_webserver.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a stack buffer overflow in the web server provided with the EvoCam This module exploits a stack buffer overflow in the web server provided with the EvoCam
program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload
from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6, from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,
3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity. 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability.
}, },
'Author' => 'Author' =>
[ [

2
modules/exploits/osx/local/sudo_password_bypass.rb
View File

@ -44,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local
Note: If the user has locked the Date/Time preferences, requests to overwrite Note: If the user has locked the Date/Time preferences, requests to overwrite
the system clock will be ignored, and the module will silently fail. However, the system clock will be ignored, and the module will silently fail. However,
if the "Require an administrator password to access locked preferences" setting if the "Require an administrator password to access locked preferences" setting
is not enabled, the Date/Time preferences are often unlocked everytime the admin is not enabled, the Date/Time preferences are often unlocked every time the admin
logs in, so you can install persistence and wait for a chance later. logs in, so you can install persistence and wait for a chance later.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/solaris/telnet/fuser.rb
View File

@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability', 'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',
'Description' => %q{ 'Description' => %q{
This module exploits the argument injection vulnerabilty This module exploits the argument injection vulnerability
in the telnet daemon (in.telnetd) of Solaris 10 and 11. in the telnet daemon (in.telnetd) of Solaris 10 and 11.
}, },
'Author' => [ 'MC' ], 'Author' => [ 'MC' ],

2
modules/exploits/unix/http/lifesize_room.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'LifeSize Room Command Injection', 'Name' => 'LifeSize Room Command Injection',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerable resource in LifeSize This module exploits a vulnerable resource in LifeSize
Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize Room versions 3.5.3 and 4.7.18 to inject OS commands. LifeSize
Room is an appliance and thus the environment is limited Room is an appliance and thus the environment is limited
resulting in a small set of payload options. resulting in a small set of payload options.
}, },

2
modules/exploits/unix/local/at_persistence.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Local
info, info,
'Name' => 'at(1) Persistence', 'Name' => 'at(1) Persistence',
'Description' => %q( 'Description' => %q(
This module achieves persisience by executing payloads via at(1). This module achieves persistence by executing payloads via at(1).
), ),
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>

2
modules/exploits/unix/misc/psh_auth_bypass.rb
View File

@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DisclosureDate' => 'Jan 18 2013', 'DisclosureDate' => 'Jan 18 2013',
'Description' => %q( 'Description' => %q(
The login component of the Polycom Command Shell on Polycom HDX The login component of the Polycom Command Shell on Polycom HDX
video endpints, running software versions 3.0.5 and earlier, video endpoints, running software versions 3.0.5 and earlier,
is vulnerable to an authorization bypass when simultaneous is vulnerable to an authorization bypass when simultaneous
connections are made to the service, allowing remote network connections are made to the service, allowing remote network
attackers to gain access to a sandboxed telnet prompt without attackers to gain access to a sandboxed telnet prompt without

2
modules/exploits/unix/misc/xerox_mfp.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By
supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary
commands under root priviages. commands under root privileges.
}, },
'Author' => 'Author' =>
[ [

2
modules/exploits/unix/webapp/awstats_migrate_exec.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits an arbitrary command execution vulnerability in the This module exploits an arbitrary command execution vulnerability in the
AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
payloads are recommended with this module. The vulnerability is only payloads are recommended with this module. The vulnerability is only
present when AllowToUpdateStatsFromBrowser is enabled in the AWstats present when AllowToUpdateStatsFromBrowser is enabled in the AWStats
configuration file (non-default). configuration file (non-default).
}, },
'Author' => [ 'patrick' ], 'Author' => [ 'patrick' ],

2
modules/exploits/unix/webapp/barracuda_img_exec.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Barracuda IMG.PL Remote Command Execution', 'Name' => 'Barracuda IMG.PL Remote Command Execution',
'Description' => %q{ 'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the This module exploits an arbitrary command execution vulnerability in the
Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable. Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.
}, },
'Author' => [ 'Nicolas Gregoire <ngregoire[at]exaprobe.com>', 'hdm' ], 'Author' => [ 'Nicolas Gregoire <ngregoire[at]exaprobe.com>', 'hdm' ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/unix/webapp/havalite_upload_exec.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and
possibly prior. Attackers can abuse the upload feature in order to upload a possibly prior. Attackers can abuse the upload feature in order to upload a
malicious PHP file without authentication, which results in arbitary remote code malicious PHP file without authentication, which results in arbitrary remote code
execution. execution.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Joomla Component JCE File Upload Remote Code Execution', 'Name' => 'Joomla Component JCE File Upload Remote Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability in the JCE component for Joomla!, which This module exploits a vulnerability in the JCE component for Joomla!, which
could allow an unauthenticated remote attacker to upload arbitrary files, caused by the could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
request, a remote attacker could exploit this vulnerability to upload a malicious PHP request, a remote attacker could exploit this vulnerability to upload a malicious PHP

2
modules/exploits/unix/webapp/libretto_upload_exec.rb
View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and
possibly prior. Attackers can bypass the file extension check and abuse the upload possibly prior. Attackers can bypass the file extension check and abuse the upload
feature in order to upload a malicious PHP file without authentication, which feature in order to upload a malicious PHP file without authentication, which
results in arbitary remote code execution. results in arbitrary remote code execution.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>

2
modules/exploits/unix/webapp/phpmyadmin_config.rb
View File

@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'PhpMyAdmin Config File Code Injection', 'Name' => 'PhpMyAdmin Config File Code Injection',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability in PhpMyAdmin's setup This module exploits a vulnerability in phpMyAdmin's setup
feature which allows an attacker to inject arbitrary PHP feature which allows an attacker to inject arbitrary PHP
code into a configuration file. The original advisory says code into a configuration file. The original advisory says
the vulnerability is present in phpMyAdmin versions 2.11.x the vulnerability is present in phpMyAdmin versions 2.11.x

2
modules/exploits/unix/webapp/spip_connect_exec.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a PHP code injection in SPIP. The vulnerability exists in the This module exploits a PHP code injection in SPIP. The vulnerability exists in the
connect parameter and allows an unauthenticated user to execute arbitrary commands connect parameter and allows an unauthenticated user to execute arbitrary commands
with web user privileges. Branchs 2.0, 2.1 and 3 are concerned. Vulnerable versions with web user privileges. Branches 2.0, 2.1 and 3 are concerned. Vulnerable versions
are <2.0.21, <2.1.16 and < 3.0.3, but this module works only against branch 2.0 and are <2.0.21, <2.1.16 and < 3.0.3, but this module works only against branch 2.0 and
has been tested successfully with SPIP 2.0.11 and SPIP 2.0.20 with Apache on Ubuntu has been tested successfully with SPIP 2.0.11 and SPIP 2.0.20 with Apache on Ubuntu
and Fedora linux distributions. and Fedora linux distributions.

4
modules/exploits/unix/webapp/tikiwiki_upload_exec.rb
View File

@ -17,8 +17,8 @@ class MetasploitModule < Msf::Exploit::Remote
which could be abused to allow unauthenticated users to execute arbitrary code which could be abused to allow unauthenticated users to execute arbitrary code
under the context of the web server user. under the context of the web server user.
The issue comes with one of the 3rd party components. Name of that components is The issue comes with one of the 3rd party components. Name of that component is
ELFinder -version 2.0-. This components comes with default example page which ELFinder -version 2.0-. This component comes with default example page which
demonstrates file operations such as upload, remove, rename, create directory etc. demonstrates file operations such as upload, remove, rename, create directory etc.
Default configuration does not force validations such as file extension, content-type etc. Default configuration does not force validations such as file extension, content-type etc.
Thus, unauthenticated user can upload PHP file. Thus, unauthenticated user can upload PHP file.

2
modules/exploits/unix/webapp/tuleap_unserialize_exec.rb
View File

@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Tuleap PHP Unserialize Code Execution', 'Name' => 'Tuleap PHP Unserialize Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be This module exploits a PHP object injection vulnerability in Tuleap <= 7.6-4 which could be
abused to allow authenticated users to execute arbitrary code with the permissions of the abused to allow authenticated users to execute arbitrary code with the permissions of the
web server. The dangerous unserialize() call exists in the 'src/www/project/register.php' web server. The dangerous unserialize() call exists in the 'src/www/project/register.php'
file. The exploit abuses the destructor method from the Jabbex class in order to reach a file. The exploit abuses the destructor method from the Jabbex class in order to reach a

2
modules/exploits/unix/webapp/twiki_maketext.rb
View File

@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also,
if the 'TwikiPage' option isn't provided, the module will try to create a random if the 'TwikiPage' option isn't provided, the module will try to create a random
page on the SandBox space. The modules has been tested successfully on page on the SandBox space. The module has been tested successfully on
TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine. TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.
}, },
'Author' => 'Author' =>

2
modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb
View File

@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote
be used to bypass the session check as long as at least one session has been be used to bypass the session check as long as at least one session has been
created at some point in time. In case there isn't any valid session, the user can created at some point in time. In case there isn't any valid session, the user can
provide astGUIcient credentials in order to create one. The results of the injected provide astGUIcient credentials in order to create one. The results of the injected
command are returned as part of the response from the web server. Affected versions commands are returned as part of the response from the web server. Affected versions
include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well. The include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well. The
default credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit. default credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit.
}, },

2
modules/exploits/unix/webapp/webmin_show_cgi_exec.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits an arbitrary command execution vulnerability in Webmin This module exploits an arbitrary command execution vulnerability in Webmin
1.580. The vulnerability exists in the /file/show.cgi component and allows an 1.580. The vulnerability exists in the /file/show.cgi component and allows an
authenticated user, with access to the File Manager Module, to execute arbitrary authenticated user, with access to the File Manager Module, to execute arbitrary
commands with root privileges. The module has been tested successfully with Webim commands with root privileges. The module has been tested successfully with Webmin
1.580 over Ubuntu 10.04. 1.580 over Ubuntu 10.04.
}, },
'Author' => [ 'Author' => [

2
modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb
View File

@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote
blogging software plugin known as Google Document Embedder. The vulnerability allows for blogging software plugin known as Google Document Embedder. The vulnerability allows for
database credential disclosure via the /libs/pdf.php script. The Google Document Embedder database credential disclosure via the /libs/pdf.php script. The Google Document Embedder
plug-in versions 2.4.6 and below are vulnerable. This exploit only works when the MySQL plug-in versions 2.4.6 and below are vulnerable. This exploit only works when the MySQL
server is exposed on a accessible IP and Wordpress has filesystem write access. server is exposed on an accessible IP and WordPress has filesystem write access.
Please note: The admin password may get changed if the exploit does not run to the end. Please note: The admin password may get changed if the exploit does not run to the end.
}, },

2
modules/exploits/unix/webapp/wp_optimizepress_upload.rb
View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'WordPress OptimizePress Theme File Upload Vulnerability', 'Name' => 'WordPress OptimizePress Theme File Upload Vulnerability',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability found in the the WordPress theme OptimizePress. The This module exploits a vulnerability found in the WordPress theme OptimizePress. The
vulnerability is due to an insecure file upload on the media-upload.php component, allowing vulnerability is due to an insecure file upload on the media-upload.php component, allowing
an attacker to upload arbitrary PHP code. This module has been tested successfully on an attacker to upload arbitrary PHP code. This module has been tested successfully on
OptimizePress 1.45. OptimizePress 1.45.

2
modules/exploits/unix/webapp/wp_platform_exec.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
The WordPress Theme "platform" contains a remote code execution vulnerability The WordPress Theme "platform" contains a remote code execution vulnerability
through an unchecked admin_init call. The theme includes the uploaded file through an unchecked admin_init call. The theme includes the uploaded file
from it's temp filename with php's include function. from its temp filename with php's include function.
}, },
'Author' => 'Author' =>
[ [

6
modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
View File

@ -12,14 +12,14 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info( super(update_info(
info, info,
'Name' => 'Wordpress WPTouch Authenticated File Upload', 'Name' => 'WordPress WPTouch Authenticated File Upload',
'Description' => %q{ 'Description' => %q{
The Wordpress WPTouch plugin contains an auhtenticated file upload The WordPress WPTouch plugin contains an authenticated file upload
vulnerability. A wp-nonce (CSRF token) is created on the backend index vulnerability. A wp-nonce (CSRF token) is created on the backend index
page and the same token is used on handling ajax file uploads through page and the same token is used on handling ajax file uploads through
the plugin. By sending the captured nonce with the upload, we can the plugin. By sending the captured nonce with the upload, we can
upload arbitrary files to the upload folder. Because the plugin also upload arbitrary files to the upload folder. Because the plugin also
uses it's own file upload mechanism instead of the wordpress api it's uses its own file upload mechanism instead of the WordPress api it's
possible to upload any file type. possible to upload any file type.
The user provided does not need special rights, and users with "Contributor" The user provided does not need special rights, and users with "Contributor"
role can be abused. role can be abused.

2
modules/exploits/unix/webapp/zpanel_username_exec.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a vulnerability found in ZPanel's htpasswd module. When This module exploits a vulnerability found in ZPanel's htpasswd module. When
creating .htaccess using the htpasswd module, the username field can be used to creating .htaccess using the htpasswd module, the username field can be used to
inject system commands, which is passed on to a system() function for executing inject system commands, which is passed on to a system() function for executing
the system's htpasswd's command. the system's htpasswd command.
Please note: In order to use this module, you must have a valid account to login Please note: In order to use this module, you must have a valid account to login
to ZPanel. An account part of any of the default groups should suffice, such as: to ZPanel. An account part of any of the default groups should suffice, such as:

2
modules/exploits/windows/brightstor/mediasrv_sunrpc.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'CA BrightStor ArcServe Media Service Stack Buffer Overflow', 'Name' => 'CA BrightStor ArcServe Media Service Stack Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA
BrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker BrightStor ARCserve. By sending a specially crafted SUNRPC request, an attacker
can overflow a stack buffer and execute arbitrary code. can overflow a stack buffer and execute arbitrary code.
}, },
'Author' => [ 'toto' ], 'Author' => [ 'toto' ],

2
modules/exploits/windows/browser/adobe_flash_regex_value.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability found in the ActiveX component of Adobe This module exploits a vulnerability found in the ActiveX component of Adobe
Flash Player before 11.5.502.149. By supplying a specially crafted swf file Flash Player before 11.5.502.149. By supplying a specially crafted swf file
with special regex value, it is possible to trigger an memory corruption, which with special regex value, it is possible to trigger a memory corruption, which
results in remote code execution under the context of the user, as exploited in results in remote code execution under the context of the user, as exploited in
the wild in February 2013. This module has been tested successfully with Adobe the wild in February 2013. This module has been tested successfully with Adobe
Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before

2
modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb
View File

@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory', 'Name' => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory',
'Description' => %q{ 'Description' => %q{
This module exploits an unintialized memory vulnerability in Adobe Flash Player. The This module exploits an uninitialized memory vulnerability in Adobe Flash Player. The
vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails
to initialize allocated memory. When using a correct memory layout this vulnerability to initialize allocated memory. When using a correct memory layout this vulnerability
leads to a ByteArray object corruption, which can be abused to access and corrupt memory. leads to a ByteArray object corruption, which can be abused to access and corrupt memory.

2
modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb
View File

@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
NOTE: This module uses a similar DEP bypass method to that used within the NOTE: This module uses a similar DEP bypass method to that used within the
adobe_libtiff module. This method is unlikely to work across various adobe_libtiff module. This method is unlikely to work across various
Windows versions due a the hardcoded syscall number. Windows versions due a hardcoded syscall number.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>

2
modules/exploits/windows/browser/aim_goaway.rb
View File

@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a flaw in the handling of AOL Instant This module exploits a flaw in the handling of AOL Instant
Messenger's 'goaway' URI handler. An attacker can execute Messenger's 'goaway' URI handler. An attacker can execute
arbitrary code by supplying a overly sized buffer as the arbitrary code by supplying an overly sized buffer as the
'message' parameter. This issue is known to affect AOL Instant 'message' parameter. This issue is known to affect AOL Instant
Messenger 5.5. Messenger 5.5.
}, },

2
modules/exploits/windows/browser/ask_shortformat.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow', 'Name' => 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53. This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.
An attacker may be able to excute arbitrary code by sending an overly An attacker may be able to execute arbitrary code by sending an overly
long string to the "ShortFormat()" method in askbar.dll. long string to the "ShortFormat()" method in askbar.dll.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow', 'Name' => 'BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX
control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing control. Versions of mps.dll including 3.9.4.27 and lower are affected. When passing
an overly long string to the method "OnBeforeVideoDownload" an attacker can execute an overly long string to the method "OnBeforeVideoDownload" an attacker can execute
arbitrary code. arbitrary code.
}, },

2
modules/exploits/windows/browser/blackice_downloadimagefileurl.rb
View File

@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module allows remote attackers to place arbitrary files on a users file system This module allows remote attackers to place arbitrary files on a users file system
by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX
Control (BIImgFrm.ocx 12.0.0.0). Code exeuction can be acheived by first uploading the Control (BIImgFrm.ocx 12.0.0.0). Code execution can be achieved by first uploading the
payload to the remote machine, and then upload another mof file, which enables Windows payload to the remote machine, and then upload another mof file, which enables Windows
Management Instrumentation service to execute the binary. Please note that this module Management Instrumentation service to execute the binary. Please note that this module
currently only works for Windows before Vista. Also, a similar issue is reported in currently only works for Windows before Vista. Also, a similar issue is reported in

2
modules/exploits/windows/browser/communicrypt_mail_activex.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow', 'Name' => 'CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll
ActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly ActiveX Control provided by CommuniCrypt Mail 1.16. By sending an overly
long string to the "AddAttachments()" method, an attacker may be able to long string to the "AddAttachments()" method, an attacker may be able to
execute arbitrary code. execute arbitrary code.
}, },

2
modules/exploits/windows/browser/ea_checkrequirements.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow', 'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl
ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long ActiveX Control (NPSnpy.dll 1.1.0.36. When sending an overly long
string to the CheckRequirements() method, an attacker may be able string to the CheckRequirements() method, an attacker may be able
to execute arbitrary code. to execute arbitrary code.
}, },

4
modules/exploits/windows/browser/honeywell_tema_exec.rb
View File

@ -13,11 +13,11 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => "Honeywell Tema Remote Installer ActiveX Remote Code Execution", 'Name' => "Honeywell Tema Remote Installer ActiveX Remote Code Execution",
'Description' => %q{ 'Description' => %q{
This modules exploits a vulnerability found in the Honewell Tema ActiveX Remote This module exploits a vulnerability found in the Honeywell Tema ActiveX Remote
Installer. This ActiveX control can be abused by using the DownloadFromURL() Installer. This ActiveX control can be abused by using the DownloadFromURL()
function to install an arbitrary MSI from a remote location without checking source function to install an arbitrary MSI from a remote location without checking source
authenticity or user notification. This module has been tested successfully with authenticity or user notification. This module has been tested successfully with
the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0 and the Remote Installer ActiveX installed with Honeywell EBI R410.1 - TEMA 5.3.0 and
Internet Explorer 6, 7 and 8 on Windows XP SP3. Internet Explorer 6, 7 and 8 on Windows XP SP3.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

4
modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb
View File

@ -30,8 +30,8 @@ class MetasploitModule < Msf::Exploit::Remote
The vulnerability is found in the "RunAndUploadFile" method The vulnerability is found in the "RunAndUploadFile" method
where the "OtherFields" parameter with user controlled data where the "OtherFields" parameter with user controlled data
is used to build a "Content-Dispoition" header and attach is used to build a "Content-Disposition" header and attach
contents in a insecure way which allows to overflow a buffer contents in an insecure way which allows to overflow a buffer
in the stack. in the stack.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control', 'Name' => 'Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control',
'Description' => %q{ 'Description' => %q{
This module exploits a stack based buffer overflow in the Active control file This module exploits a stack based buffer overflow in the Active control file
ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles() ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles()
method. Exploitation results in code execution with the privileges of the user who method. Exploitation results in code execution with the privileges of the user who
browsed to the exploit page. browsed to the exploit page.

4
modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb
View File

@ -27,9 +27,9 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow", 'Name' => "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow",
'Description' => %q{ 'Description' => %q{
This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00 This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00
SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long
string argument for the InternationalSeparator() method of the ISSymbol control. string argument for the InternationalSeparator() method of the ISSymbol control.
This modules uses the msvcr71.dll form the Java JRE6 to bypass ASLR. This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>

2
modules/exploits/windows/browser/intrust_annotatex_add.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer', 'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer',
'Description' => %q{ 'Description' => %q{
This module exploits an uninitialized variable vulnerability in the This module exploits an uninitialized variable vulnerability in the
Annotation Objects ActiveX component. The activeX component loads into memory without Annotation Objects ActiveX component. The ActiveX component loads into memory without
opting into ALSR so this module exploits the vulnerability against windows Vista and opting into ALSR so this module exploits the vulnerability against windows Vista and
Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
points to part of the ROP chain in a heap chunk and the calculated call will hit the points to part of the ROP chain in a heap chunk and the calculated call will hit the

2
modules/exploits/windows/browser/java_ws_double_quote.rb
View File

@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Sun Java Web Start Double Quote Injection', 'Name' => 'Sun Java Web Start Double Quote Injection',
'Description' => %q{ 'Description' => %q{
This module exploits a flaw in the Web Start component of the Sun Java This module exploits a flaw in the Web Start component of the Sun Java
Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP
file can contain a double quote which is not properly sanitized when creating file can contain a double quote which is not properly sanitized when creating
the command line for javaw.exe. This allows the injection of the -XXaltjvm the command line for javaw.exe. This allows the injection of the -XXaltjvm
option to load a jvm.dll from a remote UNC path into the java process. Thus option to load a jvm.dll from a remote UNC path into the java process. Thus

2
modules/exploits/windows/browser/java_ws_vmargs.rb
View File

@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote
allows an attacker to execute arbitrary code in the context of an unsuspecting allows an attacker to execute arbitrary code in the context of an unsuspecting
browser user. browser user.
In order for this module to work, it must be ran as root on a server that In order for this module to work, it must be run as root on a server that
does not serve SMB. Additionally, the target host must have the WebClient does not serve SMB. Additionally, the target host must have the WebClient
service (WebDAV Mini-Redirector) enabled. service (WebDAV Mini-Redirector) enabled.
}, },

2
modules/exploits/windows/browser/kazaa_altnet_heap.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX
Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7. Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.
By sending a overly long string to the "Install()" method, an attacker may be By sending an overly long string to the "Install()" method, an attacker may be
able to execute arbitrary code. able to execute arbitrary code.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/windows/browser/logitechvideocall_start.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Logitech VideoCall ActiveX Control Buffer Overflow', 'Name' => 'Logitech VideoCall ActiveX Control Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX
Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the
"Start()" method, an attacker may be able to execute arbitrary code. "Start()" method, an attacker may be able to execute arbitrary code.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/windows/browser/macrovision_unsafe.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Macrovision InstallShield Update Service ActiveX Unsafe Method', 'Name' => 'Macrovision InstallShield Update Service ActiveX Unsafe Method',
'Description' => %q{ 'Description' => %q{
This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008. This module allows attackers to execute code via an unsafe method in Macrovision InstallShield 2008.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'MC' ], 'Author' => [ 'MC' ],

2
modules/exploits/windows/browser/mcafee_mvt_exec.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability", 'Name' => "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability",
'Description' => %q{ 'Description' => %q{
This modules exploits a vulnerability found in McAfee Virtual Technician's This module exploits a vulnerability found in McAfee Virtual Technician's
MVTControl. This ActiveX control can be abused by using the GetObject() function MVTControl. This ActiveX control can be abused by using the GetObject() function
to load additional unsafe classes such as WScript.Shell, therefore allowing remote to load additional unsafe classes such as WScript.Shell, therefore allowing remote
code execution under the context of the user. code execution under the context of the user.

2
modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'McAfee Visual Trace ActiveX Control Buffer Overflow', 'Name' => 'McAfee Visual Trace ActiveX Control Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX
Control (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the
"TraceTarget()" method, an attacker may be able to execute arbitrary code. "TraceTarget()" method, an attacker may be able to execute arbitrary code.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

4
modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb
View File

@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free', 'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability found on Firefox 17.0.6, specifically an use This module exploits a vulnerability found on Firefox 17.0.6, specifically a use
after free of a DocumentViewerImpl object, triggered via an specially crafted web after free of a DocumentViewerImpl object, triggered via a specially crafted web
page using onreadystatechange events and the window.stop() API, as exploited in the page using onreadystatechange events and the window.stop() API, as exploited in the
wild on 2013 August to target Tor Browser users. wild on 2013 August to target Tor Browser users.
}, },

2
modules/exploits/windows/browser/mozilla_mchannel.rb
View File

@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability', 'Name' => 'Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability',
'Description' => %q{ 'Description' => %q{
This module exploits an use after free vulnerability in Mozilla This module exploits a use after free vulnerability in Mozilla
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
becomes a dangling pointer and can be reused when setting the OBJECTs becomes a dangling pointer and can be reused when setting the OBJECTs

2
modules/exploits/windows/browser/mozilla_reduceright.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability found in Mozilla Firefox 3.6. When an This module exploits a vulnerability found in Mozilla Firefox 3.6. When an
array object is configured with a large length value, the reduceRight() method array object is configured with a large length value, the reduceRight() method
may cause an invalid index being used, allowing abitrary remote code execution. may cause an invalid index being used, allowing arbitrary remote code execution.
Please note that the exploit requires a longer amount of time (compare to a Please note that the exploit requires a longer amount of time (compare to a
typical browser exploit) in order to gain control of the machine. typical browser exploit) in order to gain control of the machine.
}, },

2
modules/exploits/windows/browser/ms06_013_createtextrange.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'MS06-013 Microsoft Internet Explorer createTextRange() Code Execution', 'Name' => 'MS06-013 Microsoft Internet Explorer createTextRange() Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a code execution vulnerability in Microsoft Internet Explorer. This module exploits a code execution vulnerability in Microsoft Internet Explorer.
Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under
certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point
to a very remote, non-existent memory location. This module is the result of merging three to a very remote, non-existent memory location. This module is the result of merging three
different exploit submissions and has only been reliably tested against Windows XP SP2. different exploit submissions and has only been reliably tested against Windows XP SP2.

2
modules/exploits/windows/browser/ms06_071_xml_core.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling', 'Name' => 'MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling',
'Description' => %q{ 'Description' => %q{
This module exploits a code execution vulnerability in Microsoft XML Core Services which This module exploits a code execution vulnerability in Microsoft XML Core Services which
exists in the XMLHTTP ActiveX control. This module is the modifed version of exists in the XMLHTTP ActiveX control. This module is the modified version of
http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully
tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6
+ Microsoft XML Core Services 4.0 SP2. + Microsoft XML Core Services 4.0 SP2.

2
modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb
View File

@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a code execution vulnerability that occurs when a user This module exploits a code execution vulnerability that occurs when a user
presses F1 on MessageBox originated from VBscript within a web page. When the presses F1 on MessageBox originated from VBscript within a web page. When the
user hits F1, the MessageBox help functionaility will attempt to load and use user hits F1, the MessageBox help functionality will attempt to load and use
a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server. a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.
This particular version of the exploit implements a WebDAV server that will This particular version of the exploit implements a WebDAV server that will

2
modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb
View File

@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow', 'Name' => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a buffer overlow in l3codecx.ax while processing a This module exploits a buffer overflow in l3codecx.ax while processing a
AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite
with 0's so the three least significant bytes of EIP saved on stack are with 0's so the three least significant bytes of EIP saved on stack are
overwritten and shellcode is mapped using the .NET DLL memory technique pioneered overwritten and shellcode is mapped using the .NET DLL memory technique pioneered

4
modules/exploits/windows/browser/ms10_090_ie_css_clip.rb
View File

@ -22,12 +22,12 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption', 'Name' => 'MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption',
'Description' => %q{ 'Description' => %q{
Thie module exploits a memory corruption vulnerability within Microsoft's This module exploits a memory corruption vulnerability within Microsoft's
HTML engine (mshtml). When parsing an HTML page containing a specially HTML engine (mshtml). When parsing an HTML page containing a specially
crafted CSS tag, memory corruption occurs that can lead arbitrary code crafted CSS tag, memory corruption occurs that can lead arbitrary code
execution. execution.
It seems like Microsoft code inadvertantly increments a vtable pointer to It seems like Microsoft code inadvertently increments a vtable pointer to
point to an unaligned address within the vtable's function pointers. This point to an unaligned address within the vtable's function pointers. This
leads to the program counter being set to the address determined by the leads to the program counter being set to the address determined by the
address "[vtable+0x30+1]". The particular address depends on the exact address "[vtable+0x30+1]". The particular address depends on the exact

2
modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
View File

@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child
of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer
object can be forced by using an "Unslect" (other approaches also apply), but a reference object can be forced by using an "Unselect" (other approaches also apply), but a reference
of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after
the CDoc::GetLineInfo call, because it is still trying to use that to update the CDoc::GetLineInfo call, because it is still trying to use that to update
CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash

2
modules/exploits/windows/browser/nis2004_get.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX
Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004. Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004.
By sending a overly long string to the "Get()" method, an attacker may be By sending an overly long string to the "Get()" method, an attacker may be
able to execute arbitrary code. able to execute arbitrary code.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

4
modules/exploits/windows/browser/notes_handler_cmdinject.rb
View File

@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => "IBM Lotus Notes Client URL Handler Command Injection", 'Name' => "IBM Lotus Notes Client URL Handler Command Injection",
'Description' => %q{ 'Description' => %q{
This modules exploits a command injection vulnerability in the URL handler for This module exploits a command injection vulnerability in the URL handler for
for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with
an specially crafted notes:// URL to execute arbitrary commands with also arbitrary a specially crafted notes:// URL to execute arbitrary commands with also arbitrary
arguments. This module has been tested successfully on Windows XP SP3 with IE8, arguments. This module has been tested successfully on Windows XP SP3 with IE8,
Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2. Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
}, },

2
modules/exploits/windows/browser/oracle_dc_submittoexpress.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0). This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).
Oracle Document Capture 10g comes bundled with a third party ActiveX control Oracle Document Capture 10g comes bundled with a third party ActiveX control
emsmtp.dll (6.0.1.0). When passing a overly long string to the method "SubmitToExpress" emsmtp.dll (6.0.1.0). When passing an overly long string to the method "SubmitToExpress"
an attacker may be able to execute arbitrary code. an attacker may be able to execute arbitrary code.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution", 'Name' => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution",
'Description' => %q{ 'Description' => %q{
This modules exploits a vulnerability found in the Oracle WebCenter Content This module exploits a vulnerability found in the Oracle WebCenter Content
CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where
user controlled input is used to call ShellExecuteExW(). This module abuses the user controlled input is used to call ShellExecuteExW(). This module abuses the
control to execute an arbitrary HTA from a remote location. This module has been control to execute an arbitrary HTA from a remote location. This module has been

2
modules/exploits/windows/browser/orbit_connecting.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Orbit Downloader Connecting Log Creation Buffer Overflow', 'Name' => 'Orbit Downloader Connecting Log Creation Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an
attacker serves up a malicious web site, abritrary code may be executed. attacker serves up a malicious web site, arbitrary code may be executed.
The PAYLOAD windows/shell_bind_tcp works best. The PAYLOAD windows/shell_bind_tcp works best.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/windows/browser/real_arcade_installerdlg.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution', 'Name' => 'Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability in Real Networks Acrade Game's ActiveX control. The "exec" This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The "exec"
function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands
on the victim machine. on the victim machine.
}, },

2
modules/exploits/windows/browser/realplayer_cdda_uri.rb
View File

@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'RealNetworks RealPlayer CDDA URI Initialization Vulnerability', 'Name' => 'RealNetworks RealPlayer CDDA URI Initialization Vulnerability',
'Description' => %q{ 'Description' => %q{
This module exploits a initialization flaw within RealPlayer 11/11.1 and This module exploits an initialization flaw within RealPlayer 11/11.1 and
RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object
initialization failure. However, this failure is improperly handled and initialization failure. However, this failure is improperly handled and
uninitialized memory executed. uninitialized memory executed.