This Metasploit module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The exploit does not need to know the password chosen for the bot/server communication. If the C&C is configured with the default 'admin' password, the exploit should work fine. In case of the C&C configured with another password the exploit can fail. The 'check' command can be used to determine if the C&C target is using the default 'admin' password. Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread responsible of handling the connection. Because of this the module provides the RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header will be used. If the bruteforce target is selected, a random header will be sent in case the default for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a session obtained.
a5fb5f9fb5256f9b9ed0a73d71160bd6699b2d23e1947554a86a9c745e5bff43This Metasploit module can be used to execute a payload on Umbraco CMS 4.7.0.378. The payload is uploaded as an ASPX script by sending a specially crafted SOAP request to codeEditorSave.asmx, which permits unauthorised file upload via the SaveDLRScript operation. SaveDLRScript is also subject to a path traversal vulnerability, allowing code to be placed into the web-accessible /umbraco/ directory. The module writes, executes and then overwrites an ASPX script; note that though the script content is removed, the file remains on the target. Automatic cleanup of the file is intended if a meterpreter payload is used. This Metasploit module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows 7 32-bit SP1. In this scenario, the "IIS APPPOOL\ASP.NET v4.0" user must have write permissions on the Windows Temp folder.
a969edd9061df64ff92c55db7b277da617626bfa9448eab4978dfbd56a0d42bbThis Metasploit module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php version older than 5.3.4 must be used to allow poison null bytes in filesystem related functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.
04e6daabf6b6a5dba1b8fa576bc4f910b4df1c7b90652847142a832796744523This Metasploit module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.
80e3ce82a2d97fa36f0665883aecc56cc126a901567bd0c4251832c7ded7ffe7sflog! versions 1.00 and below suffer from local file inclusion, administrative password disclosure, and remote shell upload vulnerabilities.
a330468dd724ab2f78215e629c1c00b9dcb52c8249a68c63ac563236adda7e5aThe CopyFrom operation of the Sling POST servlet allows for copying a parent node to one of its descendant nodes, creating an infinite loop that ultimately results in denial of service, once memory and/or storage resources are exhausted.
8995843141b2cea69c3716091acf10088f9d4eadff4f7ee2520234cfcb689c33ElfChat version 5.1.2 Pro suffers from a cross site scripting vulnerability.
5dbc0c25c91ac9c248972741c037874ae862593c456258d1c27f34c121b8cf11CLscript CMS version 3.0 suffers from cross site scripting and remote SQL injection vulnerabilities.
8635091a03cadff818ef882b8c084b7b4a9bae7ba416e78dcb8b0dba8b1a1761Freeside SelfService CGI|API version 2.3.3 suffers from cross site scripting and remote SQL injection vulnerabilities.
589178af2616297852b8cdfafb33f881b4c884a43af9ffdc023300a62039ce29Classifieds Ads Script PHP version 1.1 suffers from multiple remote SQL injection vulnerabilities.
031f8444dc9bb3fb64965abde0479ba420c5792fb922e32d4cc4692a9efc8683GuestBook Scripts PHP version 1.5 suffers from cross site scripting and remote SQL injection vulnerabilities.
9b4db8ef1d37f9ab481fd0462d19541bdffd9a624fb896d51f3c537e6be7243cEvent Script PHP CMS version 1.1 suffers from multiple remote SQL injection vulnerabilities.
b4ea2c8291eef176dcb4692e33a55c32bca11c42097bbc2d66d036a17833ef60The Linux kernel suffers from a local denial of service vulnerability in fs/eventpoll.c.
ae684ab734eecff046df417d7c7d68dd048faaf0572bbcf23b25dd857d7448f8WordPress MoodThingy Widget version 0.8.7 suffers from a remote blind SQL injection vulnerability.
88db87914abc0a62993187a5bec1181471ba983dbcbf2567975eb06a46970247Tiki Wiki CMS Groupware versions 8.3 and below suffer from an unserialize() PHP code execution vulnerability.
1131c8a6485c082585a271f33d7953e4f5c4c0779bc61c2352ed14fa8c3a700aSites powered by Arasism.com suffer from a remote SQL injection vulnerability. Note that this finding houses site-specific data.
87ec0d26bf3b2a41dd60e9c9288afdaf79105e9aa7b0c10869fa98bf2a9c9597Webmatic version 3.1.1 suffers from a remote blind SQL injection vulnerability.
5df53c25fc086e653b42c737dfd26a462ef9860efd1b43b10ec8613e53d95ab97sepehr suffers from multiple remote SQL injection vulnerabilities.
9c65f9d07ab7d811716128d932fe580be35f1b4e82f7f0b58934320f6ae93609The WordPress FlexiWeb-Form plugin suffers from a remote shell upload vulnerability.
f5788fd20d126e3bdb40fe524e1682956c5e0a164a7661495c6755a22acfd6e9Webify Link Directory suffers from a remote SQL injection vulnerability.
090d94e61eb549530245d1678eeefbb09bfeaba84464884f28284e1cfc741ad6Forum Oxalis version 0.1.2 suffers from a remote SQL injection vulnerability.
8f3ad2b8a2d27afa78634836c0069a3e80d48a3583c98da4cef0c56c87ae2862Plow command line playlist generator version 0.0.5 suffers from a buffer overflow vulnerability.
1b0190493c6d4750f65fb5bf9746711aff97801af066f351fcc086f07d490965This Metasploit module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest versions prior to 7.1.1.9, 7.1.2.6 or 8.0.0.2 which allows reliable remote code execution when DEP is not enabled.
387ecb02a357ac85525e1e50243fe56012c1987ea3f8ba4a3ee336ab0fb98ed5CLscript Classified Script version 3.0 suffers from a remote SQL injection vulnerability.
c2fd644e3ef800cf4226f1d0a0bdab9109b18171934e553c49c53c74ad7068daphpMyBackupPro versions 2.2 and below suffer from a local file inclusion vulnerability.
166b21bdc9185f708bd036262f1a876d4441fdd2ba9d32aff7948aae343ed8f3
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed