This Metasploit module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The exploit does not need to know the password chosen for the bot/server communication. If the C&C is configured with the default 'admin' password, the exploit should work fine. In case of the C&C configured with another password the exploit can fail. The 'check' command can be used to determine if the C&C target is using the default 'admin' password. Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread responsible of handling the connection. Because of this the module provides the RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header will be used. If the bruteforce target is selected, a random header will be sent in case the default for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a session obtained.
a5fb5f9fb5256f9b9ed0a73d71160bd6699b2d23e1947554a86a9c745e5bff43
This Metasploit module can be used to execute a payload on Umbraco CMS 4.7.0.378. The payload is uploaded as an ASPX script by sending a specially crafted SOAP request to codeEditorSave.asmx, which permits unauthorised file upload via the SaveDLRScript operation. SaveDLRScript is also subject to a path traversal vulnerability, allowing code to be placed into the web-accessible /umbraco/ directory. The module writes, executes and then overwrites an ASPX script; note that though the script content is removed, the file remains on the target. Automatic cleanup of the file is intended if a meterpreter payload is used. This Metasploit module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows 7 32-bit SP1. In this scenario, the "IIS APPPOOL\ASP.NET v4.0" user must have write permissions on the Windows Temp folder.
a969edd9061df64ff92c55db7b277da617626bfa9448eab4978dfbd56a0d42bb
This Metasploit module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php version older than 5.3.4 must be used to allow poison null bytes in filesystem related functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.
04e6daabf6b6a5dba1b8fa576bc4f910b4df1c7b90652847142a832796744523
This Metasploit module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.
80e3ce82a2d97fa36f0665883aecc56cc126a901567bd0c4251832c7ded7ffe7
sflog! versions 1.00 and below suffer from local file inclusion, administrative password disclosure, and remote shell upload vulnerabilities.
a330468dd724ab2f78215e629c1c00b9dcb52c8249a68c63ac563236adda7e5a
The CopyFrom operation of the Sling POST servlet allows for copying a parent node to one of its descendant nodes, creating an infinite loop that ultimately results in denial of service, once memory and/or storage resources are exhausted.
8995843141b2cea69c3716091acf10088f9d4eadff4f7ee2520234cfcb689c33
ElfChat version 5.1.2 Pro suffers from a cross site scripting vulnerability.
5dbc0c25c91ac9c248972741c037874ae862593c456258d1c27f34c121b8cf11
CLscript CMS version 3.0 suffers from cross site scripting and remote SQL injection vulnerabilities.
8635091a03cadff818ef882b8c084b7b4a9bae7ba416e78dcb8b0dba8b1a1761
Freeside SelfService CGI|API version 2.3.3 suffers from cross site scripting and remote SQL injection vulnerabilities.
589178af2616297852b8cdfafb33f881b4c884a43af9ffdc023300a62039ce29
Classifieds Ads Script PHP version 1.1 suffers from multiple remote SQL injection vulnerabilities.
031f8444dc9bb3fb64965abde0479ba420c5792fb922e32d4cc4692a9efc8683
GuestBook Scripts PHP version 1.5 suffers from cross site scripting and remote SQL injection vulnerabilities.
9b4db8ef1d37f9ab481fd0462d19541bdffd9a624fb896d51f3c537e6be7243c
Event Script PHP CMS version 1.1 suffers from multiple remote SQL injection vulnerabilities.
b4ea2c8291eef176dcb4692e33a55c32bca11c42097bbc2d66d036a17833ef60
The Linux kernel suffers from a local denial of service vulnerability in fs/eventpoll.c.
ae684ab734eecff046df417d7c7d68dd048faaf0572bbcf23b25dd857d7448f8
WordPress MoodThingy Widget version 0.8.7 suffers from a remote blind SQL injection vulnerability.
88db87914abc0a62993187a5bec1181471ba983dbcbf2567975eb06a46970247
Tiki Wiki CMS Groupware versions 8.3 and below suffer from an unserialize() PHP code execution vulnerability.
1131c8a6485c082585a271f33d7953e4f5c4c0779bc61c2352ed14fa8c3a700a
Sites powered by Arasism.com suffer from a remote SQL injection vulnerability. Note that this finding houses site-specific data.
87ec0d26bf3b2a41dd60e9c9288afdaf79105e9aa7b0c10869fa98bf2a9c9597
Webmatic version 3.1.1 suffers from a remote blind SQL injection vulnerability.
5df53c25fc086e653b42c737dfd26a462ef9860efd1b43b10ec8613e53d95ab9
7sepehr suffers from multiple remote SQL injection vulnerabilities.
9c65f9d07ab7d811716128d932fe580be35f1b4e82f7f0b58934320f6ae93609
The WordPress FlexiWeb-Form plugin suffers from a remote shell upload vulnerability.
f5788fd20d126e3bdb40fe524e1682956c5e0a164a7661495c6755a22acfd6e9
Webify Link Directory suffers from a remote SQL injection vulnerability.
090d94e61eb549530245d1678eeefbb09bfeaba84464884f28284e1cfc741ad6
Forum Oxalis version 0.1.2 suffers from a remote SQL injection vulnerability.
8f3ad2b8a2d27afa78634836c0069a3e80d48a3583c98da4cef0c56c87ae2862
Plow command line playlist generator version 0.0.5 suffers from a buffer overflow vulnerability.
1b0190493c6d4750f65fb5bf9746711aff97801af066f351fcc086f07d490965
This Metasploit module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest versions prior to 7.1.1.9, 7.1.2.6 or 8.0.0.2 which allows reliable remote code execution when DEP is not enabled.
387ecb02a357ac85525e1e50243fe56012c1987ea3f8ba4a3ee336ab0fb98ed5
CLscript Classified Script version 3.0 suffers from a remote SQL injection vulnerability.
c2fd644e3ef800cf4226f1d0a0bdab9109b18171934e553c49c53c74ad7068da
phpMyBackupPro versions 2.2 and below suffer from a local file inclusion vulnerability.
166b21bdc9185f708bd036262f1a876d4441fdd2ba9d32aff7948aae343ed8f3