This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the "main" function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.
6b4d95471d68cca9d3ef11a5eae191b4a98a078054233598f568e7012765400b
This Metasploit module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs, the overflow occurs during a ov.sprintf_new() call, which allows an attacker to overwrite data on the stack, and gain arbitrary code execution.
afac3550398fcdd4661e55f613d7be338e41b1ddad70329e7911c3925f72091a
This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.
4c22f86bdf3b46260576ea5cf66c91a1e70361023d657dd8cabdade506e19c3c
This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By making a specially crafted HTTP request to the "snmpviewer.exe" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within the a function within "snmpviewer.exe" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold.
941d626b048888e533b6035864853431c8dc16bff0ae357bda104698ffecbf13
This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.
80ff73419a7cd13d7e21eb8ec7e33cd16805fe4f27fb6954c76a5d837fa3bf7f
This Metasploit module creates and enables a custom UDF (user defined function) on the target host via the UPDATE pg_largeobject method of binary injection. On default Microsoft Windows installations of PostgreSQL (=< 8.4), the postgres service account may write to the Windows temp directory, and may source UDF DLL's from there as well. PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are valid targets for this module. NOTE: This Metasploit module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL and the OID.
213fac5f2720047b0fb55ff6cfa251c235b21927acee0824016b457a6d9d998a
MC Content Manager version 10.1.1 suffers from cross site scripting and anti-automation vulnerabilities.
4644cc1ed6452b391270820f4e24d169cabed711cb344aeca189074a44ebb61d
Constructr CMS version 3.03 suffers from a remote shell upload vulnerability.
4016df6af6e009e58f6504666547d58edca736c3bd26f224887ce744c5703376
Advantec/BroadWin SCADA WebAccess 7.0 Network Service RPC party exploit that demonstrates the leaking of a security code and remote command execution.
83becf12b501bcc267fbd1be7561838dd7024b5d4fe6c3a51d4a00011e8a4337
The Progea Movicon 11 TCPUploadServer allows remote users to execute functions on the server without any form of authentication. Impacts include deletion of arbitrary files, execution of a program with an arbitrary argument, crashing the server, information disclosure, and more. This design flaw puts the host running this server at risk of potentially unauthorized functions being executed on the system.
fbc50819938d8873cd7f19b69cc6ec9e277dfe76726a60a616df1890c4c8cdf8
There are multiple remote uninitialized pointer free conditions in IGSS's ODBC server. By sending a specially crafted packet to listening port 20222, it is possible to crash the server. Execution of arbitrary code is unlikely.
d82e97b8f0e340895167edfec6e1532847830e7ddab52ff2c288237ef372149f
PHP-Nuke version 8.x suffers from anti-csrf bypass and cross site request forgery vulnerabilities.
bf9ac275156cbbbadab533f228b1bf2cea04673bf444cbfc5e68a7dd114afb0f
PHP-Nuke version 8.x suffers from a cross site scripting vulnerability.
8d9a2d12ad870ef02483bb6f74180ef76a1e62b18fb0e684dff19c890c397432
PHP-Nuke version 8.x suffers from a remote blind SQL injection vulnerability.
d6818556033f371db18ca7f045b14f2caf84c54eb602cb2224cce6a02cf9c1c6
VMCPlayer version 1.0 suffers from a denial of service vulnerability.
e44d854795a09a766cfc0a56e40e69a06d646b467d7dc423698e15a5bd323250
Web Wiz Forums suffers from multiple remote SQL injection vulnerabilities.
d37105bc03e39df81d8832b6118bc99f8f76c3b665c1f00727e0c0a84482ada0
This Metasploit module exploits remote syscalls in DRuby.
a802a00709712a959585c5ee44f6a3601a7d2f74fae2b7984b61b541d1f3a35f
This Metasploit module exploits a vulnerability in AVM2 action script virtual machine used in Adobe Flash Player versions 9.0 through 10. The AVM fails to properly verify bytecode streams prior to executing it. This can cause uninitialized memory to be executed. Utilizing heap spraying techniques to control the uninitialized memory region it is possible to execute arbitrary code. Typically Flash Player is not used as a standalone application. Often, SWF files are embedded in other file formats or specifically loaded via a web browser. Malcode was discovered in the wild which embedded a malformed SWF file within an Excel spreadsheet. This exploit is based off the byte stream found within that malcode sample.
42f45f3260ab9c5b8cc16ebc8f87909c47dfc836d8362769726a745db24e2709
This Metasploit module exploits a buffer overflow in HP NNM's webappmon.exe. The vulnerability occurs when function "execvp_nc" fails to do any bounds-checking before strcat is used to append user-supplied input to a buffer.
bf5a083c853de0a9689a85f8964a561ceaf21211433507a6060dcd2fcafba338
This Metasploit module exploits a vulnerability in HP NNM's nnmRptConfig.exe. A remote user can send a long string data to the nameParams parameter via a POST request, which causes an overflow on the stack when function ov.sprintf_new() is used, and gain arbitrary code execution.
8399adbc5106cbe36645f0c2d9c78118462b9640526de98fe7e579d71bc51419
This Metasploit module exploits a stack-based overflow in HP NNM's webappmon.exe. The vulnerability occurs when a long string of data is sent as OvJavaLocale's cookie value, OvWww.dll fails to properly do any bounds checking before this input is parsed in function OvWwwDebug(), which causes an overflow when sprintf_new() is called.
ec5c964f51636ce7ba31b28775d66861ded19652e6b8966cbb73d25ac422b9da
Oracle web server installations with fcgi-bin/echo suffer from a cross site scripting vulnerability.
876ccd422be21e22190e6a2ef52166aa0a13d89638cc8bd6d07d521630c33e6d
Symantec LiveUpdate Administrator suffers from a cross site request forgery vulnerability. Proof of concept is included.
1590de5e204cab69e3bed8c07807a00abee7648f9f8940d58e1c494577fc7b52
Element-IT PowUpload version 1.3 suffers from an arbitrary file upload vulnerability.
ecb04666c9415d6ad3138d3a737f646997e9853e874d2d5b161b7af0d82c796e
EAFlashUpload version 2.5 suffers from an arbitrary file upload vulnerability.
71b0a207afc3e978ca977de0699e16b37e0189108c5065b504ac0d2f923fc176