This Metasploit module exploits a directory traversal in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5. By passing a string containing "..\\\\" sequences to the MakeHttpRequest method, an attacker is able to write arbitrary files to arbitrary locations on disk. Code execution occurs by writing to the All Users Startup Programs directory. You may want to combine this module with the use of multi/handler since a user would have to log for the payload to execute.
a22d6a5d6ae13466a6759a4b609ca02715e96a081fa217cf96cb8a72607502d3
This Metasploit module exploits a stack overflow in Oracle Document Capture 10g (10.1.3.5.0). Oracle Document Capture 10g comes bundled with a third party ActiveX control emsmtp.dll (6.0.1.0). When passing a overly long string to the method "SubmitToExpress" an attacker may be able to execute arbitrary code.
3681ea82f4e84abfe0cbea6f00e7b797da8c9e22f7fa045d832eda5a5371bd10
This Metasploit module exploits a stack overflow in Symantec Altiris Deployment Solution. When sending an overly long string to RunCmd() method of AeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary code.
307712dacb17f1ff1707f3260b7175cbb211417deddfe962ccd54e42b6bc44df
This Metasploit module exploits a data segment buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code.
cc5464c5502efeb363604ff7cff786f441a5c42581c6aaf148a0991375add770
This Metasploit module exploits a vulnerability in the getElementsByTagName function as implemented within Internet Explorer.
d11edd52626b5a17b7f199e8ad2f6694a46ee39e57f58766dc6ad4feb982d0fc
This Metasploit module exploits a stack overflow in the NCTAudioFile2.Audio ActiveX Control provided by various audio applications. By sending a overly long string to the "SetFormatLikeSample()" method, an attacker may be able to execute arbitrary code.
572cd45f169e8ae99680a260fbe93c3ec15696fd145b671b14f7ce7d7656216b
This Metasploit module exploits a stack overflow in Persits Software Inc's XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0. By passing an overly long string to the AddFolder method, an attacker may be able to execute arbitrary code.
0734205128b08ddc3df0d3272867d8a8333da02d7b7b61ab690efec93e3e3aaf
This Metasploit module exploits an untrusted program execution vulnerability within the Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL' parameter to the URL to an executable, an attacker can execute arbitrary code. Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and IE 8 on Windows XP SP3.
5d1244d3102a6a8bc52f45d6e2d5c1543508b64b6756ff4a6bbce3e854708833
This Metasploit module exploits a stack overflow in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5. By passing an overly long string to the AddFile method, an attacker may be able to execute arbitrary code.
089d6eb19898145a2a56800a1257447d897fce5f0c907c70b9222faf98dfc7db
Alt-N SecurityGateway is prone to a buffer overflow condition. This is due to insufficient bounds checking on the "username" parameter. Successful exploitation could result in code execution with SYSTEM level privileges. NOTE: This service doesn't restart, you'll only get one shot. However, it often survives a successful exploitation attempt.
ff81f757d0ee734b80216662fed47c56e6a92afa7502822354ef61533ab501d3
This Metasploit module exploits a stack overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3). By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
ba833e5d01e36543b456b900d99600f020ff71158db1a219a0b9c920d7d5fc41
This Metasploit module exploits a stack overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute arbitrary code.
1d019d9bfdce65032252ae522967de2f8fc81bf13e2aab36602e9dcdf2e3924f
This Metasploit module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5. Sending a specially crafted POST request with an overly long session cookie string, an attacker may be able to execute arbitrary code.
69483ee7992ff6f4b2b2ef96e0c967c2db4973dbbf9ad4391f544ad1b0cd3449
This Metasploit module exploits a stack overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this.
3dc7da1a36dedf13ddf7ea5539aaac3f51e4cbdb8ecfab2652405871dd1aca71
This Metasploit module exploits a stack overflow in Hewlett-Packard Power Manager 4.2. Sending a specially crafted POST request with an overly long Login string, an attacker may be able to execute arbitrary code.
760a5e0c428e0ee8a5ed03674f016766c57a65eb426311bb765728b2278567af
This Metasploit module exploits a format string vulnerability in HTTPDX FTP server. By sending an specially crafted FTP command containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.
931d50dd9d1e55c8f607f4660c7aa3557cc6af19452ebf2580cf70d48421a3ee
This Metasploit module exploits a format string vulnerability in HTTPDX HTTP server. By sending an specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.
5e82425ca633c611eb005775846af3b61ea0104b3a119879e7ff8046db79d936
This Metasploit module exploits a stack overflow in InterSystems Cache 2009.1. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code.
988f9f88e5e33fbde5236fcf17ff809a247b6a13a13022ecc22b600d876060d6
This Metasploit module exploits a stack overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request, an attacker may be able to execute arbitrary code.
66583a0594555d5fbb4ef434ba4d8cbbf81f63ce0361f95c46aa5ece2a9e0693
This Metasploit module exploits a stack buffer overflow in HT-MP3Player 1.0. Arbitrary code execution could occur when parsing a specially crafted .HT3 file. NOTE: The player installation does not register the file type to be handled. Therefore, a user must take extra steps to load this file.
93c3719a58f1c3f72ff27596e136d037fd1436d92c5834b6f8a0c7ed3b2353b0
Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) overlong DSC Comment Buffer Overflow Exploit
fa7d623818aa870797cedbdfe793f36edde2119163f962043b50da8da39732e1
This Metasploit module exploits a stack overflow in IDEAL Administration v9.7. By creating a specially crafted ipj file, an attacker may be able to execute arbitrary code.
671e32b58eafc179c66a2c75065bd9266308aadcc36d69ae7c4a2f035130544f
This Metasploit module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549. An attacker must send the file to victim and the victim must open the file.
cbe13148a58c488ccf7971b10d00768ebab0881172175b2ca34f1eebc44f7a4a
This Metasploit module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. When opening a malicious pls file with the Audio Workstation, a remote attacker could overflow a buffer and execute arbitrary code.
d9f34d3ca724495af9e1703e2053bf024bceb6935e3dacafc2b68f298b46fb9a
This Metasploit module exploits a stack overflow in HTML Help Workshop 4.74. By creating a specially crafted hhp file, an attacker may be able to execute arbitrary code.
d8999e37ae0660f6d0ccb78297cd00f678139931f395ba7c381dff454cfdddd2