Exploit the possiblities
Showing 1 - 22 of 22 RSS Feed

Files from Spencer McIntyre

Email addresssmcintyre at securestate.com
First Active2011-01-12
Last Active2017-11-08
Microsoft Windows LNK File Code Execution
Posted Nov 8, 2017
Authored by Yorick Koster, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2015-0095, CVE-2017-8464
MD5 | e8d2e4d615be10d88bf8b20b6b549143
Razer Synapse rzpnk.sys ZwOpenProcess
Posted Jul 22, 2017
Authored by Spencer McIntyre | Site metasploit.com

A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\SYSTEM.

tags | exploit, web, arbitrary, shellcode
advisories | CVE-2017-9769
MD5 | 05dbcbf512b9be0da1b9ceddb93d860c
PHPMailer Sendmail Argument Injection
Posted Jan 4, 2017
Authored by Dawid Golunski, Spencer McIntyre | Site metasploit.com

PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This Metasploit module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.

tags | exploit, web, arbitrary, root
advisories | CVE-2016-10033, CVE-2016-10045
MD5 | a8dc72e0680b992ed76e35257184f274
PowerShellEmpire Arbitrary File Upload (Skywalker)
Posted Nov 18, 2016
Authored by Spencer McIntyre, Erik Daguerre | Site metasploit.com

A vulnerability existed in the PowerShellEmpire server prior to commit f030cf62 which would allow an arbitrary file to be written to an attacker controlled location with the permissions of the Empire server. This exploit will write the payload to /tmp/ directory followed by a cron.d file to execute the payload.

tags | exploit, arbitrary
MD5 | 6dd255ac3b4ace7f8e1264d54a7d922b
HTA Web Server
Posted Oct 12, 2016
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed.

tags | exploit
MD5 | 9e72e42af707da32ec75302dd82c4ae3
Windows TrackPopupMenu Win32k NULL Pointer Dereference
Posted Oct 28, 2014
Authored by Spencer McIntyre, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This Metasploit module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.

tags | exploit, arbitrary, code execution
systems | windows, xp, 7
advisories | CVE-2014-4113
MD5 | 52feb4363d45b4378ac8a66855db145f
Pure-FTPd External Authentication Bash Environment Variable Code Injection
Posted Oct 2, 2014
Authored by Frank Denis, Spencer McIntyre, Stephane Chazelas | Site metasploit.com

This Metasploit module exploits the code injection flaw known as shellshock which leverages specially crafted environment variables in Bash. This exploit specifically targets Pure-FTPd when configured to use an external program for authentication.

tags | exploit, bash
advisories | CVE-2014-6271
MD5 | 1509d16ef5a69d2e95b0b3996782eef8
MQAC.sys Arbitrary Write Privilege Escalation
Posted Jul 25, 2014
Authored by Spencer McIntyre, Matt Bergin | Site metasploit.com

A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process.

tags | exploit, arbitrary, kernel
advisories | CVE-2014-4971
MD5 | feb4824b786f7e7f8c1a0fb58ac6aae6
MS14-017 Microsoft Word RTF Object Confusion
Posted Apr 9, 2014
Authored by Haifei Li, Spencer McIntyre | Site metasploit.com

This Metasploit module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a listoverridecount field can be modified to treat one structure as another. This bug was originally seen being exploited in the wild starting in April 2014. This Metasploit module was created by reversing a public malware sample.

tags | exploit, code execution
advisories | CVE-2014-1761
MD5 | 0173b4b676a7c4cce5d3669d25e38c2e
Windows TrackPopupMenuEx Win32k NULL Page
Posted Feb 11, 2014
Authored by Spencer McIntyre, Dan Zentner, Seth Gibson, Matias Soler | Site metasploit.com

This Metasploit module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This Metasploit module has been tested successfully on Windows 7 SP0 and Windows 7 SP1.

tags | exploit
systems | windows, 7
advisories | CVE-2013-3881, OSVDB-98212
MD5 | 5e3007d6712572a8e4850e4c1207fdc1
Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow
Posted May 31, 2013
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in the db_netserver process which is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.

tags | exploit, overflow
advisories | CVE-2013-3563
MD5 | c879e1e5716cef4a74c310721de2df60
SSH User Code Execution
Posted May 15, 2013
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell.

tags | exploit, shell
advisories | CVE-1999-0502
MD5 | c51d5809d74feb050ba211d2afd1170e
Firebird Relational Database CNCT Group Number Buffer Overflow
Posted Mar 8, 2013
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This Metasploit module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases stackpivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP.

tags | exploit, code execution
advisories | CVE-2013-2492
MD5 | b878a92dd2801b8f41f16452649b8003
Jenkins Script-Console Java Execution
Posted Jan 19, 2013
Authored by Spencer McIntyre, jamcut | Site metasploit.com

This Metasploit module uses the Jenkins Groovy script console to execute OS commands using Java.

tags | exploit, java
MD5 | 22bf8e9fc1f1498f73af67178f1aac14
Netwin SurgeFTP Remote Command Execution
Posted Dec 24, 2012
Authored by sinn3r, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console.

tags | exploit, web
MD5 | f28d69c21e4ade38f76954d490bd4b09
SurgeFTP Remote Command Execution
Posted Dec 20, 2012
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a flaw in the SurgeFTP server's web-based administrative console to execute arbitrary commands.

tags | exploit, web, arbitrary
MD5 | 27837668ae567b3ace02e8d21d13e7ae
MS11-080 AfdJoinLeaf Privilege Escalation
Posted Oct 3, 2012
Authored by Matteo Memelli, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability.

tags | exploit, kernel, shellcode
advisories | CVE-2011-2005
MD5 | 4bb673fc92283c6a680ddea5396dce74
Termineter 0.1.0
Posted Jul 24, 2012
Authored by Spencer McIntyre | Site code.google.com

Termineter is a framework written in python to provide a platform for the security testing of smart meters. It implements the C12.18 and C12.19 protocols for communication. Currently supported are Meters using C12.19 with 7-bit character sets. Termineter communicates with Smart Meters via a connection using an ANSI type-2 optical probe with a serial interface.

tags | tool, protocol, python
systems | unix
MD5 | 2ea2025b17d9409ef543310269cad355
Liferay XSL Command Execution
Posted Apr 7, 2012
Authored by Nicolas Gregoire, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability in the XSL parser of the XSL Content Portlet. When Tomcat is present, arbitrary code can be executed via java calls in the data fed to the Xalan XSLT processor. If XSLPAGE is defined, the user must have rights to change the content of that page (to add a new XSL portlet), otherwise it can be left blank and a new one will be created. The second method however, requires administrative privileges.

tags | exploit, java, arbitrary
advisories | CVE-2011-1571, OSVDB-73652
MD5 | 6a8ea2e6b7c50e4cc43ad8970fee954e
LifeSize Room 3.5.3 / 4.7.18 Bypass / Command Injection
Posted Aug 28, 2011
Authored by Spencer McIntyre | Site securestate.com

LifeSize Room versions 3.5.3 and 4.7.8 suffer from login bypass and OS command injection vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2011-2762, CVE-2011-2763
MD5 | 576df6580e6ccdcee6937d91d185782d
LifeSize Room 3.5.3 / 4.7.18 Command Injection
Posted Aug 28, 2011
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerable resource in LifeSize Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize Room is an appliance and thus the environment is limited resulting in a small set of payload options.

tags | exploit
advisories | CVE-2011-2763
MD5 | 0f8a47fbfc07dc58af4ab5cad63b947d
SiteScape Forums TCL Injection
Posted Jan 12, 2011
Authored by Spencer McIntyre | Site securestate.com

SiteScape Forums suffers from a remote TCL injection vulnerability. SiteScape Enterprise Forums version 7 is affected. Other versions may also be affected. Both an advisory and exploit are included in this archive.

tags | exploit, remote
systems | linux
advisories | CVE-2007-6515
MD5 | f095b2ea9f36383cabf5859e3f80a41e
Page 1 of 1
Back1Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    14 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close