Land #8960, spelling/grammar fixes part 3
Pearce Barry
commit
e8eeb784e4
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
rendering engine. It is possible to redirect the output of a XSLT
|
||||
transformation to an arbitrary file. The content of the created file must be
|
||||
ASCII or UTF-8. The destination path can be relative or absolute. This module
|
||||
has been tested on Safari and Maxthon. Code execution can be acheived by first
|
||||
has been tested on Safari and Maxthon. Code execution can be achieved by first
|
||||
uploading the payload to the remote machine in VBS format, and then upload a MOF
|
||||
file, which enables Windows Management Instrumentation service to execute the VBS.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -12,9 +12,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super( update_info(info,
|
||||
'Name' => 'TeeChart Professional ActiveX Control Trusted Integer Dereference',
|
||||
'Description' => %q{
|
||||
This module exploits a integer overflow in TeeChart Pro ActiveX control. When
|
||||
This module exploits an integer overflow in TeeChart Pro ActiveX control. When
|
||||
sending an overly large/negative integer value to the AddSeries() property of
|
||||
TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the
|
||||
TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the
|
||||
value and is later directly trusted and called upon.
|
||||
|
||||
This module has been designed to bypass DEP only under IE8 with Java support. Multiple
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect
|
||||
initialization under Internet Explorer.
|
||||
|
||||
While the Tom Sawyer GET Extension Factory is installed with some versions of VMware
|
||||
While the Tom Sawyer GET Extension Factory is installed with some versions of VMware
|
||||
Infrastructure Client, this module has been tested only with the versions installed
|
||||
with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX
|
||||
control tested is tsgetx71ex553.dll, version 5.5.3.238.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject
|
||||
ActiveX Control. If an long string is passed to the 'NewObject' method, a stack-
|
||||
ActiveX Control. If a long string is passed to the 'NewObject' method, a stack-
|
||||
based buffer overflow will occur when copying attacker-supplied data using the
|
||||
sprintf function.
|
||||
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Winamp Playlist UNC Path Computer Name Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the Winamp media player.
|
||||
This flaw is triggered when a audio file path is specified, inside a
|
||||
This flaw is triggered when an audio file path is specified, inside a
|
||||
playlist, that consists of a UNC path with a long computer name. This
|
||||
module delivers the playlist via the browser. This module has only
|
||||
been successfully tested on Winamp 5.11 and 5.12.
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack buffer overflow in Winamp 5.24. By
|
||||
sending an overly long artist tag, a remote attacker may
|
||||
be able to execute arbitrary code. This vulnerability can be
|
||||
exploited from the browser or the winamp client itself.
|
||||
exploited from the browser or the Winamp client itself.
|
||||
},
|
||||
'Author' => 'MC',
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX
|
||||
control in InterVideo WinDVD 7. By sending a overly long string
|
||||
control in InterVideo WinDVD 7. By sending an overly long string
|
||||
to the "ApplicationType()" property, an attacker may be able to
|
||||
execute arbitrary code.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
opt-in to ASLR. As such, this module should be reliable on all Windows
|
||||
versions.
|
||||
|
||||
The WMI Adminsitrative Tools are a standalone download & install (linked in the
|
||||
The WMI Administrative Tools are a standalone download & install (linked in the
|
||||
references).
|
||||
|
||||
},
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the
|
||||
X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun
|
||||
X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun
|
||||
a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX
|
||||
Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string
|
||||
Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string
|
||||
to the "fvCom()" method from a yahoo.com domain, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX
|
||||
Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.
|
||||
By sending a overly long string to the "Server()" method, and then calling
|
||||
By sending an overly long string to the "Server()" method, and then calling
|
||||
the "Send()" method, an attacker may be able to execute arbitrary code.
|
||||
Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp"
|
||||
yield for the best results.
|
||||
|
|
|
|||
|
|
@ -24,9 +24,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
streams with certain MAPI attachment properties, it is possible to set a path name
|
||||
to files to be executed. When a user double clicks on such an attachment or message,
|
||||
Outlook will proceed to execute the file that is set by the path name value. These
|
||||
files can be local files, but also file stored remotely for example on a file share.
|
||||
Exploitation is limited by the fact that its is not possible for attackers to supply
|
||||
command line options.
|
||||
files can be local files, but also files stored remotely (on a file share, for example)
|
||||
can be used. Exploitation is limited by the fact that it is not possible for attackers
|
||||
to supply command line options.
|
||||
},
|
||||
'Author' => 'Yorick Koster <yorick[at]akitasecurity.nl>',
|
||||
'References' =>
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability
|
||||
occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges
|
||||
of the user running the application . This module has been tested successfully on
|
||||
of the user running the application. This module has been tested successfully on
|
||||
ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
NOTE: This module uses a similar DEP bypass method to that used within the
|
||||
adobe_libtiff module. This method is unlikely to work across various
|
||||
Windows versions due a the hardcoded syscall number.
|
||||
Windows versions due to a hardcoded syscall number.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Adobe Reader ToolButton Use After Free',
|
||||
'Description' => %q{
|
||||
This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6
|
||||
This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6
|
||||
and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where
|
||||
the cEnable callback can be used to early free the object memory. Later use of the object
|
||||
allows triggering the use after free condition. This module has been tested successfully
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Apple Quicktime. The flaw is
|
||||
triggered when Quicktime fails to properly handle the data length for certain
|
||||
This module exploits a vulnerability found in Apple QuickTime. The flaw is
|
||||
triggered when QuickTime fails to properly handle the data length for certain
|
||||
atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer
|
||||
overflow by loading a specially crafted .mov file, and allows arbitrary
|
||||
code execution under the context of the current user. Please note: Since an egghunter
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow in Audiotran 1.4.1.
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively it may be possible to execute code remotely via an embedded
|
||||
PLS file within a browser, when the PLS extention is registered to Audiotran.
|
||||
PLS file within a browser, when the PLS extension is registered to Audiotran.
|
||||
This functionality has not been tested in this module.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively, it may be possible to execute code remotely via an embedded
|
||||
PLS file within a browser when the PLS extention is registered to Audiotran.
|
||||
PLS file within a browser when the PLS extension is registered to Audiotran.
|
||||
This alternate vector has not been tested and cannot be exercised directly
|
||||
with this module.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Aviosoft Digital TV Player
|
||||
Pro version 1.x. An overflow occurs when the process copies the content of a
|
||||
playlist file on to the stack, which may result aribitrary code execution under
|
||||
playlist file on to the stack, which may result arbitrary code execution under
|
||||
the context of the user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit
|
|||
'Name' => "Beetel Connection Manager NetConfig.ini Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow on Beetel Connection Manager. The
|
||||
vulnerability exists in the parising of the UserName parameter in the NetConfig.ini
|
||||
vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini
|
||||
file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP
|
||||
SP3 and Windows 7 SP1.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'CA Antivirus Engine CAB Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.
|
||||
By creating a specially crafted CAB file, an an attacker may be able
|
||||
By creating a specially crafted CAB file, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
|
||||
a m3u playlist with a long track name, a SEH exception record can be overwritten
|
||||
with parts of the controllable buffer. SEH execution is triggered after an
|
||||
invalid read of an injectible address, thus allowing arbitrary code execution.
|
||||
invalid read of an injectable address, thus allowing arbitrary code execution.
|
||||
This module works on multiple Windows platforms including: Windows XP SP3,
|
||||
Windows Vista, and Windows 7.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a buffer overflow vulnerability found in Chasys Draw IES
|
||||
(version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while
|
||||
parsing BMP files, where the ReadFile function is used to store user provided data
|
||||
on the stack in a insecure way. It results in arbitrary code execution under the
|
||||
on the stack in an insecure way. It results in arbitrary code execution under the
|
||||
context of the user viewing a specially crafted BMP file. This module has been
|
||||
tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7
|
||||
SP1.
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
|
||||
similar except an additional SpecialFolderDataBlock is included. The folder ID set
|
||||
in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass
|
||||
in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
|
||||
the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
|
||||
DLL file.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively it may be possible to execute code remotely via an embedded
|
||||
DBR file within a browser, since the DBR extention is registered to DeepBurner.
|
||||
DBR file within a browser, since the DBR extension is registered to DeepBurner.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and
|
||||
Standard. By supplying a long string of data in a plf file (playlist), the
|
||||
MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,
|
||||
and then copy it on the stack without any proper bounds checking, which casues a
|
||||
buffer overflow, and results arbitrary code execution under the context of the user.
|
||||
and then copy it on the stack without any proper bounds checking, which causes a
|
||||
buffer overflow, and results in arbitrary code execution under the context of the user.
|
||||
|
||||
This module has been designed to target common Windows systems such as:
|
||||
Windows XP SP2/SP3, Windows Vista, and Windows 7.
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control
|
||||
(KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's
|
||||
This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control
|
||||
(KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's
|
||||
Documentation ApplicationXtender 5.4.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
|
||||
(version 11.04). The vulnerability exists in the module ermapper_u.dll where the
|
||||
function ERM_convert_to_correct_webpath handles user provided data in a insecure
|
||||
function ERM_convert_to_correct_webpath handles user provided data in an insecure
|
||||
way. It results in arbitrary code execution under the context of the user viewing
|
||||
a specially crafted .ers file. This module has been tested successfully with ERS
|
||||
Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.
|
||||
The vulnerability exists in the module ermapper_u.dll, where the function
|
||||
rf_report_error handles user provided data in a insecure way. It results in
|
||||
rf_report_error handles user provided data in an insecure way. It results in
|
||||
arbitrary code execution under the context of the user viewing a specially crafted
|
||||
.ers file. This module has been tested successfully with ERS Viewer 2013 (versions
|
||||
13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in HTML Help Workshop 4.74
|
||||
By creating a specially crafted hhp file, an an attacker may be able
|
||||
By creating a specially crafted hhp file, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module embeds an exploit into an ucompressed map file (.h3m) for
|
||||
This module embeds an exploit into an uncompressed map file (.h3m) for
|
||||
Heroes of Might and Magic III. Once the map is started in-game, a
|
||||
buffer overflow occuring when loading object sprite names leads to
|
||||
buffer overflow occurring when loading object sprite names leads to
|
||||
shellcode execution.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -32,9 +32,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
saved RETURN address at offset 0x6c is overwritten by the data written past the buffer.
|
||||
|
||||
To ensure we can perform arbitrary code execution we must we provide a valid pointer at
|
||||
0x74 which is used as a argument for the called function at 0x675751ED as a id file
|
||||
0x74 which is used as an argument for the called function at 0x675751ED as an id file
|
||||
extension parameter. Once the caller regains control we will reach our RETURN. The Ret
|
||||
instruction will be used to pop the overwritten saved return address which was currupted.
|
||||
instruction will be used to pop the overwritten saved return address which was corrupted.
|
||||
|
||||
This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform.
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'IcoFX Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability in version 2.1
|
||||
of IcoFX. The vulnerability exists while parsing .ICO files, where an specially
|
||||
of IcoFX. The vulnerability exists while parsing .ICO files, where a specially
|
||||
crafted ICONDIR header providing an arbitrary long number of images in the file
|
||||
can be used to trigger the overflow when reading the ICONDIRENTRY structures.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack buffer overflow in versions v9.7
|
||||
through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of
|
||||
IDEAL Migration. All versions are suspected to be vulnerable.
|
||||
By creating a specially crafted ipj file, an an attacker may be able
|
||||
By creating a specially crafted ipj file, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
|
||||
NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
|
||||
|
|
|
|||
|
|
@ -18,8 +18,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails
|
||||
to check the FileName argument, and passes it on to a ShellExecuteW() function,
|
||||
therefore allows any malicious attacker to execute any process that's on the
|
||||
local system. However, if the victim machine is connected to a remote share (
|
||||
or something similiar), then it's also possible to execute arbitrary code.
|
||||
local system. However, if the victim machine is connected to a remote share
|
||||
(or something similar), then it's also possible to execute arbitrary code.
|
||||
Please note that a custom template is required for the payload, because the
|
||||
default Metasploit template is detectable by McAfee -- any Windows binary, such
|
||||
as calc.exe or notepad.exe, should bypass McAfee fine.
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively it may be possible to execute code remotely via an embedded
|
||||
PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio.
|
||||
PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio.
|
||||
This functionality has not been tested in this module.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'MJM Core Player 2011 .s3m Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in MJM Core Player 2011
|
||||
When opening a malicious s3m file in this applications, a stack buffer overflow can be
|
||||
When opening a malicious s3m file in this application, a stack buffer overflow can be
|
||||
triggered, resulting in arbitrary code execution.
|
||||
This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -14,11 +14,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow found in the handling
|
||||
of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently
|
||||
targets SMPlayer 0.6.8, which is distributed with a vulnerable version of mplayer.
|
||||
targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer.
|
||||
|
||||
The overflow is triggered when an unsuspecting victim opens a movie file first,
|
||||
followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also
|
||||
be done from the console with the mplayer "-sub" option.
|
||||
be done from the console with the MPlayer "-sub" option.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
structure from the file to calculate a pointer offset without doing proper
|
||||
validation. Attacker supplied data is then used to calculate the location of an
|
||||
object, and in turn a virtual function call. This results in arbitrary code
|
||||
exection.
|
||||
execution.
|
||||
|
||||
NOTE: On some versions of Office, the user will need to dismiss a warning dialog
|
||||
prior to the payload executing.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP.
|
||||
By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker
|
||||
can get the control of the excution flow. This results aribrary code execution under
|
||||
can get the control of the execution flow. This results in arbitrary code execution under
|
||||
the context of the user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a vulnerability found in Excel of Microsoft Office 2007.
|
||||
By supplying a malformed .xlb file, an attacker can control the content (source)
|
||||
of a memcpy routine, and the number of bytes to copy, therefore causing a stack-
|
||||
based buffer overflow. This results aribrary code execution under the context of
|
||||
user the user.
|
||||
based buffer overflow. This results in arbitrary code execution under the context of
|
||||
the user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Microsoft Visual Basic VBP Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack oveflow in Microsoft Visual
|
||||
This module exploits a stack overflow in Microsoft Visual
|
||||
Basic 6.0. When a specially crafted vbp file containing a long
|
||||
reference line, an attacker may be able to execute arbitrary
|
||||
code.
|
||||
|
|
|
|||
|
|
@ -41,8 +41,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a
|
||||
drawing in Microsoft Office, and how it gets calculated with user-controlled inputs,
|
||||
and stored in the EAX register. The 32-bit register will run out of storage space to
|
||||
represent the large vlaue, which ends up being 0, but it still gets pushed as a
|
||||
dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a
|
||||
represent the large value, which ends up being 0, but it still gets pushed as a
|
||||
dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a
|
||||
chunk anyway with size 0, and the address of this chunk is used as the destination buffer
|
||||
of a memcpy function, where the source buffer is the EXIF data (an extended image format
|
||||
supported by TIFF), and is also user-controlled. A function pointer in the chunk returned
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Orbit Downloader URL Unicode Conversion Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow in Orbit Downloader.
|
||||
The vulnerability is due to Orbit converting an URL ascii string to unicode
|
||||
in a insecure way with MultiByteToWideChar.
|
||||
The vulnerability is due to Orbit converting a URL ascii string to unicode
|
||||
in an insecure way with MultiByteToWideChar.
|
||||
The vulnerability is exploited with a specially crafted metalink file that
|
||||
should be opened with Orbit through the "File->Add Metalink..." option.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'PDF Shaper Buffer Overflow',
|
||||
'Description' => %q{
|
||||
PDF Shaper is prone to a security vulnerability when processing PDF files.
|
||||
The vulnerability appear when we use Convert PDF to Image and use a specially
|
||||
crafted PDF file. This module has been tested successfully on Win Xp, Win 7,
|
||||
The vulnerability appears when we use Convert PDF to Image and use a specially
|
||||
crafted PDF file. This module has been tested successfully on Win XP, Win 7,
|
||||
Win 8, Win 10.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability
|
||||
occurs opening malformed Settings.ini file e.g."C:\Program Files\Total Video Player\".
|
||||
occurs opening malformed Settings.ini file e.g. "C:\Program Files\Total Video Player\".
|
||||
This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
execution. A patch is available at visiwave.com; the fix is done by XORing the return value as
|
||||
null if no match is found, and then it is validated before use.
|
||||
|
||||
NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a
|
||||
NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a
|
||||
victim user to 'double click' the malicious VWR file and execute code. This module was also built
|
||||
to bypass ASLR and DEP.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow in the Win32AddConnection
|
||||
function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are
|
||||
function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are
|
||||
reportedly affected.
|
||||
|
||||
This vulnerability is only present in Win32 builds of VLC.
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'VUPlayer CUE Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack over flow in VUPlayer <= 2.49. When
|
||||
the application is used to open a specially crafted cue file, an buffer is overwritten allowing
|
||||
This module exploits a stack based overflow in VUPlayer <= 2.49. When
|
||||
the application is used to open a specially crafted cue file, a buffer is overwritten allowing
|
||||
for the execution of arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -15,9 +15,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack based buffer overflow in Winamp 5.55. The flaw
|
||||
exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,
|
||||
where memmove is used with in a insecure way with user controlled data.
|
||||
where memmove is used in an insecure way with user controlled data.
|
||||
|
||||
To exploit the vulnerability the attacker must convince the attacker to install the
|
||||
To exploit the vulnerability the attacker must convince the victim to install the
|
||||
generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin,
|
||||
or generate a new skin using the crafted mcvcore.maki file. The module has been
|
||||
tested successfully on Windows XP SP3 and Windows 7 SP1.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Wireshark wiretap/mpeg.c Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
|
||||
by generating an malicious file.)
|
||||
by generating a malicious file.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively it may be possible to execute code remotely via an embedded
|
||||
PLS file within a browser, when the PLS extention is registered to Zinf.
|
||||
PLS file within a browser, when the PLS extension is registered to Zinf.
|
||||
This functionality has not been tested in this module.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
|
||||
crafted format string specifier as a username. The crafted username is sent to to the server to
|
||||
crafted format string specifier as a username. The crafted username is sent to the server to
|
||||
overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
|
||||
is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
|
||||
The SEH exit function is preferred so that the administrators are not left with an unhandled
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
PASS command. This may allow a remote attacker to cause a buffer overflow,
|
||||
resulting in a denial of service or allow the execution of arbitrary code.
|
||||
|
||||
FreeFTPd must have an account set to authorization anonymous user account.
|
||||
freeFTPd must have an account set to authorization anonymous user account.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'FTPShell 5.1 Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets
|
||||
triggered when the ftp clients tries to process an overly response to a PWD command.
|
||||
This will overwrite the saved EIP and structured exception handler.
|
||||
triggered when the ftp client tries to process an overly long response to a PWD
|
||||
command. This will overwrite the saved EIP and structured exception handler.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'HTTPDX tolog() Function Format String Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a format string vulnerability in HTTPDX FTP server.
|
||||
By sending an specially crafted FTP command containing format specifiers, an
|
||||
By sending a specially crafted FTP command containing format specifiers, an
|
||||
attacker can corrupt memory and execute arbitrary code.
|
||||
|
||||
By default logging is off for HTTP, but enabled for the 'moderator' user
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability found in the PUT command of the
|
||||
PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
|
||||
credientials are enabled.
|
||||
credentials are enabled.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
vulnerability that is triggered when processing a sufficiently long
|
||||
filename during a FTP LIST command resulting in overwriting the
|
||||
exception handler. Social engineering of executing a specially crafted
|
||||
ftp file by double click will result in connecting to our malcious
|
||||
ftp file by double click will result in connecting to our malicious
|
||||
server and perform arbitrary code execution which allows the attacker to
|
||||
gain the same rights as the user running ScriptFTP. This vulnerability
|
||||
affects versions 3.3 and earlier.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Seagull FTP v3.3 Build 409 Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the Seagull FTP client that gets
|
||||
triggered when the ftp clients processes a response to a LIST command. If the
|
||||
triggered when the ftp client processes a response to a LIST command. If the
|
||||
response contains an overly long file/folder name, a buffer overflow occurs,
|
||||
overwriting a structured exception handler.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Vermillion FTP Daemon PORT Command Memory Corruption',
|
||||
'Description' => %q{
|
||||
This module exploits an out-of-bounds array access in the Arcane Software
|
||||
Vermillion FTP server. By sending an specially crafted FTP PORT command,
|
||||
Vermillion FTP server. By sending a specially crafted FTP PORT command,
|
||||
an attacker can corrupt stack memory and execute arbitrary code.
|
||||
|
||||
This particular issue is caused by processing data bound by attacker
|
||||
|
|
@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Processing is done using a source ptr (p) and a destination pointer (q).
|
||||
The vulnerable function walks the input string and continues while the
|
||||
source byte is non-null. If a comma is encountered, the function increments
|
||||
the the destination pointer. If an ascii digit [0-9] is encountered, the
|
||||
the destination pointer. If an ascii digit [0-9] is encountered, the
|
||||
following occurs:
|
||||
|
||||
*q = (*q * 10) + (*p - '0');
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Xlink FTP Client 32
|
||||
Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2.
|
||||
When a overly long FTP server response is recieved by a client,
|
||||
When an overly long FTP server response is received by a client,
|
||||
arbitrary code may be executed.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable
|
||||
code is only accessible when clustering is configured. A request containing a
|
||||
long JSESSION cookie value can lead to arbirtary code execution.
|
||||
long JSESSION cookie value can lead to arbitrary code execution.
|
||||
},
|
||||
'Author' => 'pusscat',
|
||||
'References' =>
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a code execution flaw in HP AutoPass License Server. It abuses two
|
||||
weaknesses in order to get its objective. First, the AutoPass application doesn't enforce
|
||||
authentication in the CommunicationServlet component. Seond, it's possible to abuse a
|
||||
authentication in the CommunicationServlet component. Second, it's possible to abuse a
|
||||
directory traversal when uploading files thorough the same component, allowing to upload
|
||||
an arbitrary payload embedded in a JSP. The module has been tested successfully on
|
||||
HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a code execution flaw in HP Intelligent Management Center.
|
||||
The vulnerability exists in the mibFileUpload which is accepting unauthenticated
|
||||
file uploads and handling zip contents in a insecure way. Combining both weaknesses
|
||||
file uploads and handling zip contents in an insecure way. Combining both weaknesses
|
||||
a remote attacker can accomplish arbitrary file upload. This module has been tested
|
||||
successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
1. An "Accept-Language" header longer than 100 bytes
|
||||
2. An "OVABverbose" URI variable set to "on", "true" or "1"
|
||||
|
||||
The vulnerability is related to "_WebSession::GetWebLocale()" ..
|
||||
The vulnerability is related to "_WebSession::GetWebLocale()".
|
||||
|
||||
NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
address.
|
||||
|
||||
The vulnerability is due to the use of the function "_OVConcatPath" which finally
|
||||
uses "strcat" in a insecure way. User controlled data is concatenated to a string
|
||||
uses "strcat" in an insecure way. User controlled data is concatenated to a string
|
||||
which contains the OpenView installation path.
|
||||
|
||||
To achieve reliable exploitation a directory traversal in OpenView5.exe
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
timestamp prior to April 7th, 2010.
|
||||
|
||||
Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined
|
||||
with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is
|
||||
with some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is
|
||||
important to note that this vulnerability must be exploited by overwriting SEH. This is since
|
||||
overflowing the buffer with controllable data always triggers an access violation when
|
||||
attempting to write static text beyond the end of the stack.
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary
|
||||
code.
|
||||
|
||||
The vulnerable code lies within the a function within "snmpviewer.exe" with a
|
||||
The vulnerable code lies within a function within "snmpviewer.exe" with a
|
||||
timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET
|
||||
or POST request. The request must contain 'act' and 'app' parameters which, when
|
||||
combined, total more than the 1024 byte stack buffer can hold.
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0
|
||||
and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an
|
||||
attacker may be able to execute arbitrary code. Please note that this module only works
|
||||
against a specific build (ie. NNM 7.53_01195)
|
||||
against a specific build (i.e. NNM 7.53_01195)
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
cause a stack-based buffer overflow and execute arbitrary code.
|
||||
|
||||
This vulnerability is not triggerable via a GET request due to limitations on the
|
||||
request size. The buffer being targetted is 16384 bytes in size. There are actually two
|
||||
request size. The buffer being targeted is 16384 bytes in size. There are actually two
|
||||
adjacent buffers that both get overflowed (one into the other), and strcat is used.
|
||||
|
||||
The vulnerable code is within the "execvp_nc" function within "ov.dll" prior to
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => "HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.
|
||||
By sending a request continaing a cookie longer than 5120 bytes, an attacker can overflow
|
||||
By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow
|
||||
a stack buffer and execute arbitrary code.
|
||||
|
||||
The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is
|
||||
|
|
@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
like the following:
|
||||
|
||||
#0 ...
|
||||
#1 sprintf_new(local_stack_buf, fmt, cooke);
|
||||
#1 sprintf_new(local_stack_buf, fmt, cookie);
|
||||
#2 OvWwwDebug(" HTTP_COOKIE=%s\n", cookie);
|
||||
#3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);
|
||||
#4 sub_405ee0("nnm", "webappmon");
|
||||
|
|
@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
is easily achieved by overwriting the saved return address or SEH frame.
|
||||
|
||||
The original advisory detailed an attack vector using the "OvJavaLocale" cookie being
|
||||
passed in a request ot "webappmon.exe". Further research shows that several different
|
||||
passed in a request to "webappmon.exe". Further research shows that several different
|
||||
cookie values, as well as several different CGI applications, can be used.
|
||||
'},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -16,8 +16,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java
|
||||
class. When using this account, an attacker can abuse the
|
||||
com.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system
|
||||
allowing the execution of arbitary code.
|
||||
com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system
|
||||
allowing the execution of arbitrary code.
|
||||
|
||||
NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0
|
||||
},
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.
|
||||
By creating a malformed request specifically for the fileName parameter, a stack-based
|
||||
buffer overflow occurs due to a long error message (which contains the fileName),
|
||||
which may result aribitrary remote code execution under the context of 'SYSTEM'.
|
||||
which may result in arbitrary remote code execution under the context of 'SYSTEM'.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'HTTPDX tolog() Function Format String Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a format string vulnerability in HTTPDX HTTP server.
|
||||
By sending an specially crafted HTTP request containing format specifiers, an
|
||||
By sending a specially crafted HTTP request containing format specifiers, an
|
||||
attacker can corrupt memory and execute arbitrary code.
|
||||
|
||||
By default logging is off for HTTP, but enabled for the 'moderator' user
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
vulnerable.
|
||||
|
||||
The administration web page on port 18881 is vulnerable to a remote buffer overflow
|
||||
attack. By sending an long character string in the password field, both the structured
|
||||
attack. By sending a long character string in the password field, both the structured
|
||||
exception handler and the saved extended instruction pointer are over written, allowing
|
||||
an attacker to gain control of the application and the underlying operating system
|
||||
remotely.
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a remote buffer overflow in the MailEnable web service.
|
||||
The vulnerability is triggered when a large value is placed into the Authorization
|
||||
header of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and
|
||||
header of the web request. MailEnable Enterprise Edition versions prior to 1.0.5 and
|
||||
MailEnable Professional versions prior to 1.55 are affected.
|
||||
},
|
||||
'Author' => 'David Maciejak <david.maciejak[at]kyxar.fr>',
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a default credential vulnerability in ManageEngine OpManager, where a
|
||||
default hidden account "IntegrationUser" with administrator privileges exists. The account
|
||||
has a default password of "plugin" which can not be reset through the user interface. By
|
||||
has a default password of "plugin" which cannot be reset through the user interface. By
|
||||
log-in and abusing the default administrator's SQL query functionality, it's possible to
|
||||
write a WAR payload to disk and trigger an automatic deployment of this payload. This
|
||||
module has been tested successfully on OpManager v11.0 and v11.4-v11.6 for Windows.
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(
|
||||
'Name' => 'ManageEngine Applications Manager Authenticated Code Execution',
|
||||
'Description' => %q{
|
||||
This module logs into the Manage Engine Appplications Manager to upload a
|
||||
This module logs into the Manage Engine Applications Manager to upload a
|
||||
payload to the file system and a batch script that executes the payload. },
|
||||
'Author' => 'Jacob Giannantonio <JGiannan[at]gmail.com>',
|
||||
'Platform' => 'win',
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Octopus Deploy Authenticated Code Execution',
|
||||
'Description' => %q{
|
||||
This module can be used to execute a payload on an Octopus Deploy server given
|
||||
valid credentials or an API key. The payload is execued as a powershell script step
|
||||
valid credentials or an API key. The payload is executed as a powershell script step
|
||||
on the Octopus Deploy server during a deployment.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
root. If a new Domain has been used to deploy the Oracle application, the Windows
|
||||
Management Instrumentation service can be used to execute arbitrary code.
|
||||
|
||||
Both techniques has been successfully tested on default installs of Oracle BTM
|
||||
Both techniques have been successfully tested on default installs of Oracle BTM
|
||||
12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are
|
||||
provided, but the user can configure the traversal depth using the DEPTH option.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an authentication bypass vulnerability
|
||||
in login.php. In conjuction with the authentication bypass issue,
|
||||
in login.php. In conjunction with the authentication bypass issue,
|
||||
the 'jlist' parameter in property_box.php can be used to execute
|
||||
arbitrary system commands.
|
||||
This module was tested against Oracle Secure Backup version 10.3.0.1.0
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service
|
||||
supports a maximum of 10 threads (for a default install). Each exploit attempt
|
||||
generally causes a thread to die whether sucessful or not. Therefore, in a default
|
||||
generally causes a thread to die whether successful or not. Therefore, in a default
|
||||
configuration, you only have 10 chances.
|
||||
|
||||
Due to the limited space available for the payload in this exploit module, use of the
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module can be used to execute a payload on Umbraco CMS 4.7.0.378.
|
||||
The payload is uploaded as an ASPX script by sending a specially crafted
|
||||
SOAP request to codeEditorSave.asmx, which permits unauthorised file upload
|
||||
SOAP request to codeEditorSave.asmx, which permits unauthorized file upload
|
||||
via the SaveDLRScript operation. SaveDLRScript is also subject to a path
|
||||
traversal vulnerability, allowing code to be placed into the web-accessible
|
||||
/umbraco/ directory.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This exploits a buffer overflow in the ISAPI ISM.DLL used to
|
||||
process HTR scripting in IIS 4.0. This module works against
|
||||
Windows NT 4 Service Packs 3, 4, and 5. The server will
|
||||
Windows NT 4 Service Packs 3, 4, and 5. The server will
|
||||
continue to process requests until the payload being
|
||||
executed has exited. If you've set EXITFUNC to 'seh', the
|
||||
server will continue processing requests, but you will have
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'IMail IMAP4D Delete Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the 'DELETE'
|
||||
command of the the IMail IMAP4D service. This vulnerability
|
||||
command of the IMail IMAP4D service. This vulnerability
|
||||
can only be exploited with a valid username and password.
|
||||
This flaw was patched in version 8.14.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Novell NetMail IMAP STATUS Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP STATUS
|
||||
This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP STATUS
|
||||
verb. By sending an overly long string, an attacker can overwrite the
|
||||
buffer and control program execution.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Computer Associates License Client GETCONFIG Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits an vulnerability in the CA License Client
|
||||
This module exploits a vulnerability in the CA License Client
|
||||
service. This exploit will only work if your IP address can be
|
||||
resolved from the target system point of view. This can be
|
||||
accomplished on a local network by running the 'nmbd' service
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
super(update_info(info,
|
||||
'Name' => 'AppLocker Execution Prevention Bypass',
|
||||
'Description' => %q{
|
||||
This module will generate a .NET service executable on the target and utilise
|
||||
This module will generate a .NET service executable on the target and utilize
|
||||
InstallUtil to run the payload bypassing the AppLocker protection.
|
||||
|
||||
Currently only the InstallUtil method is provided, but future methods can be
|
||||
|
|
|
|||
|
|
@ -22,11 +22,11 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
This module will bypass Windows UAC by utilizing the trusted publisher
|
||||
certificate through process injection. It will spawn a second shell that
|
||||
has the UAC flag turned off. This module uses the Reflective DLL Injection
|
||||
technique to drop only the DLL payload binary instead of three seperate
|
||||
technique to drop only the DLL payload binary instead of three separate
|
||||
binaries in the standard technique. However, it requires the correct
|
||||
architecture to be selected, (use x64 for SYSWOW64 systems also).
|
||||
If specifying EXE::Custom your DLL should call ExitProcess() after starting
|
||||
your payload in a seperate process.
|
||||
your payload in a separate process.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'Name' => 'Windows SYSTEM Escalation via KiTrap0D',
|
||||
'Description' => %q{
|
||||
This module will create a new session with SYSTEM privileges via the
|
||||
KiTrap0D exlpoit by Tavis Ormandy. If the session is use is already
|
||||
KiTrap0D exploit by Tavis Ormandy. If the session in use is already
|
||||
elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,
|
||||
and is not supported on x64 editions of Windows.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
with a call to NtQueryIntervalProfile will execute shellcode.
|
||||
|
||||
This module will elevate itself to SYSTEM, then inject the payload
|
||||
into another SYSTEM process before restoring it's own token to
|
||||
into another SYSTEM process before restoring its own token to
|
||||
avoid causing system instability.
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -35,8 +35,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'Name' => 'MS15-078 Microsoft Windows Font Driver Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing
|
||||
a malformed font. The vulnerability was exploited by the hacking team and disclosed on
|
||||
the july data leak. This module has been tested successfully on vulnerable builds of
|
||||
a malformed font. The vulnerability was exploited by the hacking team and disclosed in
|
||||
the July data leak. This module has been tested successfully on vulnerable builds of
|
||||
Windows 8.1 x64.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn
|
||||
a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing
|
||||
a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing
|
||||
the specified payload within the context of the elevated process.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
Vulnerable Products:
|
||||
Panda Global Protection 2016 (<=16.1.2)
|
||||
Panda Antivirus Pro 2016 (<=16.1.2)
|
||||
Panda Small Busines Protetion (<=16.1.2)
|
||||
Panda Small Business Protection (<=16.1.2)
|
||||
Panda Internet Security 2016 (<=16.1.2)
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'Description' => %q{
|
||||
This module will login with the specified username/password and execute the
|
||||
supplied command as a hidden process. Output is not returned by default.
|
||||
Unless targetting a local user either set the DOMAIN, or specify a UPN user
|
||||
Unless targeting a local user either set the DOMAIN, or specify a UPN user
|
||||
format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function.
|
||||
|
||||
A custom command line can be sent instead of uploading an executable.
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a
|
||||
sequence of specially crafted rendering messages, a virtual machine can exploit an out
|
||||
of bounds array access to corrupt memory and escape to the host. This module has been
|
||||
tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6.
|
||||
tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -27,8 +27,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON
|
||||
method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS
|
||||
method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method
|
||||
creates an event filter that utilises the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER
|
||||
before executing the payload. The signal can be sent from a windows host on a LAN utilising the waitfor.exe command
|
||||
creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER
|
||||
before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command
|
||||
(note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is
|
||||
activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a
|
||||
high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in WinComLPD <= 3.0.2.
|
||||
By sending an overly long authentication packet to the remote
|
||||
adminstration service, an attacker may be able to execute arbitrary
|
||||
administration service, an attacker may be able to execute arbitrary
|
||||
code.
|
||||
},
|
||||
'Author' => 'MC',
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
is caused due to a boundary error within the handling of HTTP request.
|
||||
|
||||
While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't
|
||||
reliable across virtual (VMWare, VirtualBox) and physical environments. Because of
|
||||
reliable across virtual (VMWare, VirtualBox) and physical environments. Because of
|
||||
this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default
|
||||
DEP is OptIn and AllMediaServer won't run with DEP.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
command. Additionally the filename option in the same command can be used to launch
|
||||
a directory traversal attack and achieve arbitrary file upload.
|
||||
|
||||
The module uses uses the Windows Management Instrumentation service to execute an
|
||||
The module uses the Windows Management Instrumentation service to execute an
|
||||
arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It
|
||||
has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003
|
||||
SP2.
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue