This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.
e8d2e4d615be10d88bf8b20b6b549143A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\SYSTEM.
05dbcbf512b9be0da1b9ceddb93d860cPHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This Metasploit module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.
a8dc72e0680b992ed76e35257184f274A vulnerability existed in the PowerShellEmpire server prior to commit f030cf62 which would allow an arbitrary file to be written to an attacker controlled location with the permissions of the Empire server. This exploit will write the payload to /tmp/ directory followed by a cron.d file to execute the payload.
6dd255ac3b4ace7f8e1264d54a7d922bThis Metasploit module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed.
9e72e42af707da32ec75302dd82c4ae3This Metasploit module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This Metasploit module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.
52feb4363d45b4378ac8a66855db145fThis Metasploit module exploits the code injection flaw known as shellshock which leverages specially crafted environment variables in Bash. This exploit specifically targets Pure-FTPd when configured to use an external program for authentication.
1509d16ef5a69d2e95b0b3996782eef8A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process.
feb4824b786f7e7f8c1a0fb58ac6aae6This Metasploit module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a listoverridecount field can be modified to treat one structure as another. This bug was originally seen being exploited in the wild starting in April 2014. This Metasploit module was created by reversing a public malware sample.
0173b4b676a7c4cce5d3669d25e38c2eThis Metasploit module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This Metasploit module has been tested successfully on Windows 7 SP0 and Windows 7 SP1.
5e3007d6712572a8e4850e4c1207fdc1This Metasploit module exploits a stack buffer overflow in the db_netserver process which is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.
c879e1e5716cef4a74c310721de2df60This Metasploit module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell.
c51d5809d74feb050ba211d2afd1170eThis Metasploit module exploits a vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This Metasploit module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases stackpivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP.
b878a92dd2801b8f41f16452649b8003This Metasploit module uses the Jenkins Groovy script console to execute OS commands using Java.
22bf8e9fc1f1498f73af67178f1aac14This Metasploit module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console.
f28d69c21e4ade38f76954d490bd4b09This Metasploit module exploits a flaw in the SurgeFTP server's web-based administrative console to execute arbitrary commands.
27837668ae567b3ace02e8d21d13e7aeThis Metasploit module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability.
4bb673fc92283c6a680ddea5396dce74Termineter is a framework written in python to provide a platform for the security testing of smart meters. It implements the C12.18 and C12.19 protocols for communication. Currently supported are Meters using C12.19 with 7-bit character sets. Termineter communicates with Smart Meters via a connection using an ANSI type-2 optical probe with a serial interface.
2ea2025b17d9409ef543310269cad355This Metasploit module exploits a vulnerability in the XSL parser of the XSL Content Portlet. When Tomcat is present, arbitrary code can be executed via java calls in the data fed to the Xalan XSLT processor. If XSLPAGE is defined, the user must have rights to change the content of that page (to add a new XSL portlet), otherwise it can be left blank and a new one will be created. The second method however, requires administrative privileges.
6a8ea2e6b7c50e4cc43ad8970fee954eLifeSize Room versions 3.5.3 and 4.7.8 suffer from login bypass and OS command injection vulnerabilities.
576df6580e6ccdcee6937d91d185782dThis Metasploit module exploits a vulnerable resource in LifeSize Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize Room is an appliance and thus the environment is limited resulting in a small set of payload options.
0f8a47fbfc07dc58af4ab5cad63b947dSiteScape Forums suffers from a remote TCL injection vulnerability. SiteScape Enterprise Forums version 7 is affected. Other versions may also be affected. Both an advisory and exploit are included in this archive.
f095b2ea9f36383cabf5859e3f80a41e
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed