This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the "main" function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.
6b4d95471d68cca9d3ef11a5eae191b4a98a078054233598f568e7012765400bThis Metasploit module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs, the overflow occurs during a ov.sprintf_new() call, which allows an attacker to overwrite data on the stack, and gain arbitrary code execution.
afac3550398fcdd4661e55f613d7be338e41b1ddad70329e7911c3925f72091aThis Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.
4c22f86bdf3b46260576ea5cf66c91a1e70361023d657dd8cabdade506e19c3cThis Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By making a specially crafted HTTP request to the "snmpviewer.exe" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within the a function within "snmpviewer.exe" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold.
941d626b048888e533b6035864853431c8dc16bff0ae357bda104698ffecbf13This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.
80ff73419a7cd13d7e21eb8ec7e33cd16805fe4f27fb6954c76a5d837fa3bf7fThis Metasploit module creates and enables a custom UDF (user defined function) on the target host via the UPDATE pg_largeobject method of binary injection. On default Microsoft Windows installations of PostgreSQL (=< 8.4), the postgres service account may write to the Windows temp directory, and may source UDF DLL's from there as well. PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are valid targets for this module. NOTE: This Metasploit module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL and the OID.
213fac5f2720047b0fb55ff6cfa251c235b21927acee0824016b457a6d9d998aMC Content Manager version 10.1.1 suffers from cross site scripting and anti-automation vulnerabilities.
4644cc1ed6452b391270820f4e24d169cabed711cb344aeca189074a44ebb61dConstructr CMS version 3.03 suffers from a remote shell upload vulnerability.
4016df6af6e009e58f6504666547d58edca736c3bd26f224887ce744c5703376Advantec/BroadWin SCADA WebAccess 7.0 Network Service RPC party exploit that demonstrates the leaking of a security code and remote command execution.
83becf12b501bcc267fbd1be7561838dd7024b5d4fe6c3a51d4a00011e8a4337The Progea Movicon 11 TCPUploadServer allows remote users to execute functions on the server without any form of authentication. Impacts include deletion of arbitrary files, execution of a program with an arbitrary argument, crashing the server, information disclosure, and more. This design flaw puts the host running this server at risk of potentially unauthorized functions being executed on the system.
fbc50819938d8873cd7f19b69cc6ec9e277dfe76726a60a616df1890c4c8cdf8There are multiple remote uninitialized pointer free conditions in IGSS's ODBC server. By sending a specially crafted packet to listening port 20222, it is possible to crash the server. Execution of arbitrary code is unlikely.
d82e97b8f0e340895167edfec6e1532847830e7ddab52ff2c288237ef372149fPHP-Nuke version 8.x suffers from anti-csrf bypass and cross site request forgery vulnerabilities.
bf9ac275156cbbbadab533f228b1bf2cea04673bf444cbfc5e68a7dd114afb0fPHP-Nuke version 8.x suffers from a cross site scripting vulnerability.
8d9a2d12ad870ef02483bb6f74180ef76a1e62b18fb0e684dff19c890c397432PHP-Nuke version 8.x suffers from a remote blind SQL injection vulnerability.
d6818556033f371db18ca7f045b14f2caf84c54eb602cb2224cce6a02cf9c1c6VMCPlayer version 1.0 suffers from a denial of service vulnerability.
e44d854795a09a766cfc0a56e40e69a06d646b467d7dc423698e15a5bd323250Web Wiz Forums suffers from multiple remote SQL injection vulnerabilities.
d37105bc03e39df81d8832b6118bc99f8f76c3b665c1f00727e0c0a84482ada0This Metasploit module exploits remote syscalls in DRuby.
a802a00709712a959585c5ee44f6a3601a7d2f74fae2b7984b61b541d1f3a35fThis Metasploit module exploits a vulnerability in AVM2 action script virtual machine used in Adobe Flash Player versions 9.0 through 10. The AVM fails to properly verify bytecode streams prior to executing it. This can cause uninitialized memory to be executed. Utilizing heap spraying techniques to control the uninitialized memory region it is possible to execute arbitrary code. Typically Flash Player is not used as a standalone application. Often, SWF files are embedded in other file formats or specifically loaded via a web browser. Malcode was discovered in the wild which embedded a malformed SWF file within an Excel spreadsheet. This exploit is based off the byte stream found within that malcode sample.
42f45f3260ab9c5b8cc16ebc8f87909c47dfc836d8362769726a745db24e2709This Metasploit module exploits a buffer overflow in HP NNM's webappmon.exe. The vulnerability occurs when function "execvp_nc" fails to do any bounds-checking before strcat is used to append user-supplied input to a buffer.
bf5a083c853de0a9689a85f8964a561ceaf21211433507a6060dcd2fcafba338This Metasploit module exploits a vulnerability in HP NNM's nnmRptConfig.exe. A remote user can send a long string data to the nameParams parameter via a POST request, which causes an overflow on the stack when function ov.sprintf_new() is used, and gain arbitrary code execution.
8399adbc5106cbe36645f0c2d9c78118462b9640526de98fe7e579d71bc51419This Metasploit module exploits a stack-based overflow in HP NNM's webappmon.exe. The vulnerability occurs when a long string of data is sent as OvJavaLocale's cookie value, OvWww.dll fails to properly do any bounds checking before this input is parsed in function OvWwwDebug(), which causes an overflow when sprintf_new() is called.
ec5c964f51636ce7ba31b28775d66861ded19652e6b8966cbb73d25ac422b9daOracle web server installations with fcgi-bin/echo suffer from a cross site scripting vulnerability.
876ccd422be21e22190e6a2ef52166aa0a13d89638cc8bd6d07d521630c33e6dSymantec LiveUpdate Administrator suffers from a cross site request forgery vulnerability. Proof of concept is included.
1590de5e204cab69e3bed8c07807a00abee7648f9f8940d58e1c494577fc7b52Element-IT PowUpload version 1.3 suffers from an arbitrary file upload vulnerability.
ecb04666c9415d6ad3138d3a737f646997e9853e874d2d5b161b7af0d82c796eEAFlashUpload version 2.5 suffers from an arbitrary file upload vulnerability.
71b0a207afc3e978ca977de0699e16b37e0189108c5065b504ac0d2f923fc176
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed