what you don't know can hurt you
Showing 1 - 25 of 57 RSS Feed

Files from corelanc0d3r

Email addresscorelanc0d3r at gmail.com
First Active2009-07-28
Last Active2013-09-20
MS13-069 Microsoft Internet Explorer CCaret Use-After-Free
Posted Sep 20, 2013
Authored by corelanc0d3r, sinn3r | Site metasploit.com

This Metasploit module exploits a use-after-free vulnerability found in Internet Explorer, specifically in how the browser handles the caret (text cursor) object. In IE's standards mode, the caret handling's vulnerable state can be triggered by first setting up an editable page with an input field, and then we can force the caret to update in an onbeforeeditfocus event by setting the body's innerHTML property. In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write() function, however, mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the same reference to the CCaret object. When the function tries to use this invalid reference to call a virtual function at offset 0x2c, it finally results a crash. Precise control of the freed object allows arbitrary code execution under the context of the user.

tags | exploit, arbitrary, code execution
advisories | CVE-2013-3205, OSVDB-97094
MD5 | b222591cf314e782b7770e70d0c3f3a6
MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free
Posted Sep 4, 2013
Authored by corelanc0d3r, sinn3r | Site metasploit.com

This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This Metasploit module can be used against version 9.0.8112.16446, but not for 9.0.8112.16421. IE 8 requires a different way to trigger the vulnerability, but not currently covered by this module. The issue is specific to the browser's IE7 document compatibility, which can be defined in X-UA-Compatible, and the content editable mode must be enabled. An "onmove" event handler is also necessary to be able to trigger the bug, and the event will be run twice before the crash. The first time is due to the position change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable' object is created during a "SelectAll" command, and this object will be used later on for the crash. The second onmove event seems to be triggered by a InsertButton (or Insert-whatever) command, which is also responsible for the free of object CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and then passes this on to the next functions (GetLineInfo -> QIClassID). When this reference arrives in function QIClassID, an access violation finally occurs when the function is trying to call QueryInterface() with the bad reference, and this results a crash. Successful control of the freed memory may leverage arbitrary code execution under the context of the user. Note: It is also possible to see a different object being freed and used, doesn't always have to be CFlatMarkupPointer.

tags | exploit, arbitrary, code execution
advisories | CVE-2013-3184, OSVDB-96182
MD5 | 5f9cbc7399e96d19ddf7fba26a5ef49a
ActFax 5.01 RAW Server Buffer Overflow
Posted Mar 26, 2013
Authored by corelanc0d3r, Craig Freyman, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW Server can be used to transfer fax messages without any underlying protocols. To note significant fields in the fax being transferred, like the fax number or the recipient, ActFax data fields can be used. This Metasploit module exploits a buffer overflow in the handling of the @F506 fields due to the insecure usage of strcpy. This Metasploit module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).

tags | exploit, overflow, protocol
systems | windows, xp
advisories | OSVDB-89944
MD5 | cded5f4f56c57b9c3f4c1bb89e73d638
ActFax 5.01 RAW Server Buffer Overflow
Posted Feb 6, 2013
Authored by corelanc0d3r, Craig Freyman | Site metasploit.com

This Metasploit module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW Server can be used to transfer fax messages to the fax server without any underlying protocols. To note significant fields in the fax being transfered, like fax number and recipient, you can use ActFax data fields. @F506,@F605, and @F000 are all data fields that are vulnerable. This has been fixed in a beta version which will not be pushed to release until May 2013.

tags | exploit, protocol
MD5 | 4bf23d489c0d688f65c9f79f71d2b939
Turbo FTP Server 1.30.823 PORT Overflow
Posted Oct 22, 2012
Authored by corelanc0d3r, Lincoln, The Light Cosine, Zhao Liang | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability found in the PORT command in Turbo FTP Server versions 1.30.823 and 1.30.826, which results in remote code execution under the context of SYSTEM.

tags | exploit, remote, overflow, code execution
advisories | OSVDB-85887
MD5 | 27e9a65c70c079a0e79f716dceac7450
ComSndFTP 1.3.7 Beta USER Format String (Write4)
Posted Jun 14, 2012
Authored by Rick, corelanc0d3r, mr_me, ChaoYi Huang | Site metasploit.com

This Metasploit module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially crafted format string specifier as a username. The crafted username is sent to to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled exception message. When using the meterpreter payload, the process will never die, allowing for continuous exploitation.

tags | exploit, arbitrary
MD5 | ad58b74e16513fde63bd760903b78714
Iconics GENESIS32 Integer Overflow
Posted Jul 19, 2011
Authored by Luigi Auriemma, corelanc0d3r, Lincoln | Site metasploit.com

Iconics GENESIS32 version 9.21.201.01 suffers from an integer overflow vulnerability. The GenBroker service on port 38080 is affected by three integer overflow vulnerabilities while handling opcode 0x4b0, which is caused by abusing the the memory allocations needed for the number of elements passed by the client. This results unexpected behaviors such as direct registry calls, memory location calls, or arbitrary remote code execution. Please note that in order to ensure reliability, this exploit will try to open calc (hidden), inject itself into the process, and then open up a shell session. Also, DEP bypass is supported.

tags | exploit, remote, overflow, arbitrary, shell, registry, vulnerability, code execution
MD5 | 598c01f621d3562c965ff0d9cbaa8d3c
HP OmniInet.exe Opcode 20 Buffer Overflow
Posted Jul 4, 2011
Authored by muts, Oren Isacson, corelanc0d3r, sinn3r, dookie2000ca | Site metasploit.com

This Metasploit module exploits a vulnerability found in HP Data Protector's OmniInet process. By supplying a long string of data as the file path with opcode '20', a buffer overflow can occur when this data is being written on the stack where no proper bounds checking is done beforehand, which results arbitrary code execution under the context of SYSTEM. This Metasploit module is also made against systems such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR enabled by default.

tags | exploit, overflow, arbitrary, code execution
systems | windows
advisories | CVE-2011-1865
MD5 | d5941ae7d6cb0b4259d0ff0fa19cc119
Magix Musik Maker 16 .mmm Stack Buffer Overflow
Posted May 23, 2011
Authored by corelanc0d3r, Acidgen | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Magix Musik Maker 16. When opening a specially crafted arrangement file (.mmm) in the application, an unsafe strcpy() will allow you to overwrite a SEH handler. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and might require up to several seconds to receive a shell.

tags | exploit, overflow, shell
systems | windows, 7
advisories | OSVDB-72455
MD5 | 570e91a977ec5caabe84bd083c0b5756
7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow
Posted May 16, 2011
Authored by Luigi Auriemma, corelanc0d3r, sinn3r, Lincoln | Site metasploit.com

This Metasploit module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution.

tags | exploit, remote, overflow, code execution
advisories | CVE-2011-1567
MD5 | 869f7bc482600120671a510bc7e91bee
MJM QuickPlayer 1.00 beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow
Posted Apr 30, 2011
Authored by Rick, corelanc0d3r | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a and QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in one of these 2 applications, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.

tags | exploit, overflow, arbitrary, code execution
systems | windows, 7
MD5 | 26923cb503840c5307da191b999e0d76
MJM Core Player 2011 .s3m Stack Buffer Overflow
Posted Apr 30, 2011
Authored by Rick, corelanc0d3r | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in MJM Core Player 2011 When opening a malicious s3m file in this applications, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.

tags | exploit, overflow, arbitrary, code execution
systems | windows, 7
MD5 | 20bedf4e31c1f9ca93bc6df99db159c9
Wireshark 1.4.4 packet-dect.c Stack Buffer Overflow
Posted Apr 19, 2011
Authored by corelanc0d3r, sickness | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Wireshark versions 1.4.4 and below. When opening a malicious .pcap file in Wireshark, a stack buffer overflow occurs, resulting in arbitrary code execution. This exploit bypasses DEP and ASLR and works on XP, Vista & Windows 7.

tags | exploit, overflow, arbitrary, code execution
systems | windows, 7
advisories | CVE-2011-1591, OSVDB-71848
MD5 | a5deb27f59ac34243335eeaf00573514
VeryTools Video Spirit Pro 1.70 Buffer Overflow
Posted Apr 11, 2011
Authored by corelanc0d3r, Acidgen | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Video Spirit versions 1.70 and below. When opening a malicious project file (.visprj), a stack buffer overflow occurs, resulting in arbitrary code execution. This exploit bypasses DEP and ASLR, and works on XP, Vista & Windows 7.

tags | exploit, overflow, arbitrary, code execution
systems | windows, 7
MD5 | 87f690a7f1a3b500a38864a74c60abdb
Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow
Posted Dec 1, 2010
Authored by corelanc0d3r, m_101, anT!-Tr0J4n | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Xion Audio Player prior to version 1.0.126. The vulnerability is triggered when opening a malformed M3U file that contains an overly long string. This results in overwriting a structured exception handler record.

tags | exploit, overflow
advisories | OSVDB-66912
MD5 | 260a6f8d3ba6d2b1d95c2049368232ad
Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
Posted Nov 23, 2010
Authored by corelanc0d3r, jduck, dookie | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Foxit PDF Reader prior to version 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in the Title field. This results in overwriting a structured exception handler record. NOTE: This exploit does not use javascript.

tags | exploit, overflow, javascript
advisories | OSVDB-68648
MD5 | ae87625c4c8a4301cea89d9c18b81c0e
FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
Posted Oct 13, 2010
Authored by corelanc0d3r, ekse | Site metasploit.com

This Metasploit module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client. When processing the response on a PWD command, a stack based buffer overflow occurs. This leads to arbitrary code execution when a structured exception handler gets overwritten.

tags | exploit, overflow, arbitrary, code execution
MD5 | 05159f7eaab417a707df0a011415dff1
Seagull FTP v3.3 build 409 Stack Buffer Overflow
Posted Oct 13, 2010
Authored by corelanc0d3r | Site metasploit.com

This Metasploit module exploits a buffer overflow in the Seagull FTP client that gets triggered when the ftp clients processes a response to a LIST command. If the response contains an overly long file/folder name, a buffer overflow occurs, overwriting a structured exception handler.

tags | exploit, overflow
MD5 | 406fa9bcd5fba7eba1deed5d494f5896
Gekko Manager FTP Client Stack Buffer Overflow
Posted Oct 13, 2010
Authored by corelanc0d3r, nullthreat | Site metasploit.com

This Metasploit module exploits a buffer overflow in Gekko Manager ftp client, triggered when processing the response received after sending a LIST request. If this response contains a long filename, a buffer overflow occurs, overwriting a structured exception handler.

tags | exploit, overflow
MD5 | 02e0aed2a8aa844132b31cc0ab232f28
FTPPad 1.2.0 Stack Buffer Overflow
Posted Oct 13, 2010
Authored by corelanc0d3r | Site metasploit.com

This Metasploit module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is triggered when the client connects to a FTP server which sends an overly long directory and filename in response to a LIST command. This will cause an access violation, and will eventually overwrite the saved extended instruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/ sniper was needed to make this one work.

tags | exploit, overflow
MD5 | f4f16ccf5da3f8043e99d363a312db9c
Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)
Posted Oct 13, 2010
Authored by Rick, corelanc0d3r | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Odin Secure FTP 4.1, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.

tags | exploit, overflow
MD5 | c0537ecf5cdaae1f550e28ce84cf31ac
FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow
Posted Oct 13, 2010
Authored by corelanc0d3r, myne-us | Site metasploit.com

This Metasploit module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro version 4.0.73.274 The overflow gets triggered by sending an overly long filename to the client in response to a LIST command. The LIST command gets issued when doing a preview or when you have just created a new sync profile and allow the tool to see the differences. This will overwrite a structured exception handler and trigger an access violation.

tags | exploit, overflow
MD5 | e51716cc450e953d1d089f60b6908dd1
LeapFTP 3.0.1 Stack Buffer Overflow
Posted Oct 13, 2010
Authored by corelanc0d3r, nullthreat | Site metasploit.com

This Metasploit module exploits a buffer overflow in the LeapFTP 3.0.1 client. This issue is triggered when a file with a long name is downloaded/opened.

tags | exploit, overflow
MD5 | 52ad685e9604717b4e6bea5d45d5edca
FileWrangler 5.30 Stack Buffer Overflow
Posted Oct 13, 2010
Authored by corelanc0d3r, nullthreat | Site metasploit.com

This Metasploit module exploits a buffer overflow in the FileWrangler client that is triggered when the client connects to a FTP server and lists the directory contents, containing an overly long directory name.

tags | exploit, overflow
MD5 | 6b5439f8bffc01d5c4f8474201622a13
AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)
Posted Oct 13, 2010
Authored by corelanc0d3r | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.

tags | exploit, overflow
MD5 | 28d4e6104c886d69c518aae35d4da6e9
Page 1 of 3
Back123Next

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    9 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close