exploit the possibilities
Showing 1 - 25 of 61 RSS Feed

Files from Elazar Broad

Email addresselazarb at earthlink.net
First Active2007-11-09
Last Active2012-06-11
Tom Sawyer Software GET Extension Factory Remote Code Execution
Posted Jun 11, 2012
Authored by rgod, Elazar Broad, juan vazquez | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. This Metasploit module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The dll is installed by default with the Embarcadero software, and loaded by the targeted ActiveX.

tags | exploit, remote, code execution, activex
advisories | CVE-2011-2217, OSVDB-73211
MD5 | 3e7aa29056921982fd5564fee15bd5aa
iDEFENSE Security Advisory 2011-05-03.1
Posted Jun 7, 2011
Authored by iDefense Labs, Elazar Broad | Site idefense.com

iDefense Security Advisory 05.03.11 - Remote exploitation of a memory corruption vulnerability in Tom Sawyer Software's GET Extension Factory could allow an attacker to execute arbitrary code with the privileges of the affected user. The vulnerability exists within the way that Internet Explorer instantiates GET Extension Factory COM objects, which is not intended to be created inside of the browser. The object does not initialize properly, and this leads to a memory corruption vulnerability that an attacker can exploit to execute arbitrary code. iDefense has confirmed Tom Sawyer's Default GET Extension Factory 5.5.2.237, tsgetxu71ex552.dll and tsgetx71ex552.dll to be vulnerable. VMWare VirtualCenter 2.5 Update 6, VirtualCenter 2.5 Update 6a is vulnerable.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2217
MD5 | 2e6279ff1d843731dd05e2126d07501e
SapGUI BI 7100.1.400.8 Heap Corruption
Posted Jul 20, 2010
Authored by Elazar Broad

SapGUI BI version 7100.1.400.8 heap corruption exploit that launches calc.exe.

tags | exploit
MD5 | f7794f3dd88f7fe4f8d12298cc2f152b
SAPGui BI wadmxhtml.dll Tags Property Heap Corruption
Posted Jul 16, 2010
Authored by Elazar Broad

The SAPGui BI component version 7100.1.400.8 suffers from a heap corruption vulnerability that can result in the execution of arbitrary code.

tags | advisory, arbitrary
MD5 | 1518bf3e5e2cbc644a76b75abd4f9cc5
WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
Posted Mar 4, 2010
Authored by Tobias Klein, Elazar Broad, Guido Landi | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability was discovered and reported by multiple independent researchers.

tags | exploit, overflow, activex
advisories | CVE-2008-3558
MD5 | f2d99a88beab4e4dd35711d91502b078
iDEFENSE Security Advisory 2010-03-02.1
Posted Mar 3, 2010
Authored by iDefense Labs, Elazar Broad | Site idefense.com

iDefense Security Advisory 03.02.10 - Remote exploitation of a stack-based buffer overflow vulnerability in IBM Corp.'s Lotus Domino Web Access ActiveX control could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerable function takes an attacker-controlled URL, and copies it into a fixed-size stack buffer. No validation checks are performed on the length of the URL. By passing in a long URL string, it is possible to trigger a stack-based buffer overflow, resulting in the execution of arbitrary code.

tags | advisory, remote, web, overflow, arbitrary, activex
MD5 | 0f49ae12b79795b324cf97c77a4b8051
HP StorageWork 1/8 G2 Tape Autoloader Privilege Escalation
Posted Jan 11, 2010
Authored by Sh2kerr, Elazar Broad | Site dsecrg.com

HP StorageWorks 1/8 G2 Tape Autoloader suffers from denial of service and privilege escalation vulnerabilities.

tags | exploit, denial of service, vulnerability
advisories | CVE-2009-2680
MD5 | 80db7cbe0231e9be01d2ae9920041bfb
Autodesk IDrop ActiveX Control Heap Memory Corruption
Posted Nov 26, 2009
Authored by Elazar Broad, Trancer | Site metasploit.com

This Metasploit module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties.

tags | exploit, arbitrary, activex
MD5 | 8ffa620ce9eba17109acaff64cef9690
IBM Lotus Domino Web Access Upload Module Buffer Overflow
Posted Nov 26, 2009
Authored by Elazar Broad | Site metasploit.com

This Metasploit module exploits a stack overflow in IBM Lotus Domino Web Access Upload Module. By sending an overly long string to the "General_ServerName()" property located in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute arbitrary code.

tags | exploit, web, overflow, arbitrary
advisories | CVE-2007-4474
MD5 | 50aa5ae090a1b2db0a274c256a751cba
Symantec BackupExec Calendar Control Buffer Overflow
Posted Nov 26, 2009
Authored by Elazar Broad | Site metasploit.com

This Metasploit module exploits a stack overflow in Symantec BackupExec Calendar Control. By sending an overly long string to the "_DOWText0" property located in the pvcalendar.ocx control, an attacker may be able to execute arbitrary code.

tags | exploit, overflow, arbitrary
advisories | CVE-2007-6016
MD5 | 1df8f24fcdcece9e8eb4a56262167732
iDEFENSE Security Advisory 2009-10-13.2
Posted Oct 14, 2009
Authored by iDefense Labs, Elazar Broad | Site idefense.com

iDefense Security Advisory 10.13.09 - Remote exploitation of a use after free vulnerability in Adobe Systems Inc.'s Acrobat and Reader Firefox plugin could allow an attacker to execute arbitrary code with the privileges of the current user. When Adobe Acrobat/Reader is installed, it also installs various browser plugins that allow PDF documents to be viewed in the browser. This vulnerability occurs within the Firefox browser plugin. The Internet Explorer version is not affected. The vulnerability occurs when Firefox attempts to navigate away from a page and unload the PDF viewing plugin. When Firefox calls the plugin's destroy method, the plugin does not properly free its resources. Specifically, a function pointer for the window update routine is not properly freed. This results in uninitialized memory being used when the window is redrawn, which leads to attacker supplied data being executed when the function pointer is dereferenced. iDefense has confirmed the existence of this vulnerability in Acrobat and Reader versions 8.1.3, 8.1.4, 8.1.5, and 8.1.6. Previous versions are also likely affected. Version 9.1.3 and previous 9.x versions are not affected.

tags | advisory, remote, arbitrary
advisories | CVE-2009-2991
MD5 | 86f5a7800b522ebb67486e8a4e3d1080
SAP GUI VSFlexGrid Active-X Buffer Overflow
Posted Oct 8, 2009
Authored by Sh2kerr, Elazar Broad | Site dsecrg.com

The VSFLEXGrid component of the SAP GUI is susceptible to a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | e099ceb6469ff2385a8770fa9e668cf2
Autodesk IDrop ActiveX Code Execution
Posted Apr 29, 2009
Authored by Elazar Broad

Autodesk IDrop remote code execution Active-X related exploit.

tags | exploit, remote, code execution, activex
MD5 | 33738fc96994902b7d66e295f07b9917
Autodesk IDrop Active-X Control
Posted Apr 2, 2009
Authored by Elazar Broad

The Src, Background, PackageXml properties in the Autodesk IDrop Active-X control, IDrop.ocx version 17.1.51.160, can be manipulated to trigger a heap use after free condition resulting in arbitrary remote code execution.

tags | advisory, remote, arbitrary, code execution, activex
MD5 | 9f55a5b229984db40abe2aaef85d4fc6
Belkin BullDog Buffer Overflow
Posted Mar 9, 2009
Authored by Elazar Broad

Belkin BullDog Plus UPS-Service buffer overflow exploit that binds a shell to port 4444.

tags | exploit, overflow, shell
MD5 | a90630d41c3c87c3432068943d852f2c
Imera Code Execution
Posted Mar 3, 2009
Authored by Elazar Broad

The Imera ImeraIEPlugin.dll version 1.0.2.54 suffers from an arbitrary code execution vulnerability.

tags | exploit, arbitrary, code execution
MD5 | 551460c30d2207e3b9cb32147ab97096
webex-overflow.txt
Posted Aug 6, 2008
Authored by Elazar Broad

The Webex Meeting Manager utilizes several ActiveX controls, one of which is vulnerable to a stack based buffer overflow. The atucfobj Module contains a single method called NewObject() who's only parameter is vulnerable to this issue.

tags | advisory, overflow, activex
MD5 | ffcef6e99156b9761932f07647471908
trendmicro-activex.txt
Posted Jul 29, 2008
Authored by Elazar Broad

OfficeScan versions 7.3 build 1343 Patch 4 and below from Trend Micro suffer from an ActiveX related buffer overflow vulnerability.

tags | advisory, overflow, activex
MD5 | ab8f9d007a31acfffc8b3a3cb901bd90
realplayer-exec.txt
Posted Jul 26, 2008
Authored by Elazar Broad

RealPlayer suffers from a vulnerability where the WindowName and Controls properties of rmoc3260.dll do not manage heap memory properly resulting in a use after free condition which can overwrite heap management structures resulting in code execution. RealPlayer 11, 10.5, 10, and Enterprise are all affected.

tags | advisory, code execution
MD5 | 6770b3f1177517eb6841ebc11efa2528
realplayer_console.rb.txt
Posted Apr 2, 2008
Authored by Elazar Broad

This Metasploit module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.

tags | exploit, arbitrary, activex
advisories | CVE-2008-1309
MD5 | 5fa5ecf492d50f4a9f558a950358e245
realplayer-activexexec.txt
Posted Apr 2, 2008
Authored by Elazar Broad

Exploit for the heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.

tags | exploit, arbitrary, activex
advisories | CVE-2008-1309
MD5 | d1d54d0143d6c7c32a767130e453bb34
realplayer-activex.txt
Posted Mar 13, 2008
Authored by Elazar Broad

The Real Networks RealPlayer ActiveX controller appears to suffer from a heap corruption vulnerability.

tags | advisory, activex
MD5 | e3deff0c9f224a77d42d8d83eb5fec3a
symantecback-overflow.txt
Posted Mar 3, 2008
Authored by Elazar Broad

Symantec BackupExec Calendar Control (PVCalendar.ocx) buffer overflow exploit. and spawns calc.exe or a shell on tcp/4444.

tags | exploit, overflow, shell, tcp
MD5 | 2c1cff8c354f4a88ca29b3119d31f0a3
move-overflow.txt
Posted Feb 26, 2008
Authored by Elazar Broad

Move Networks Quantum Streaming Player control buffer overflow exploit that makes use of UploadLogs() and spawns calc.exe or a shell on tcp/4444.

tags | exploit, overflow, shell, tcp
MD5 | 494f4767652244ffb26389822b200a82
citrix-overflow.txt
Posted Feb 13, 2008
Authored by Elazar Broad

Citrix Presentation Server Client WFICA.OCX ActiveX component heap buffer overflow exploit.

tags | exploit, overflow, activex
advisories | CVE-2006-6334
MD5 | e07a67979914c000a1b48e6d667104f8
Page 1 of 3
Back123Next

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    11 Files
  • 12
    Aug 12th
    11 Files
  • 13
    Aug 13th
    17 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close