This Metasploit module exploits a vulnerability in the SmarterTools SmarterMail software for version numbers 16.x and below or for build numbers below 6985. The vulnerable versions and builds expose three .NET remoting endpoints on port 17001, namely /Servers, /Mail and /Spool. For example, a typical installation of SmarterMail Build 6970 will have the /Servers endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where serialized .NET commands can be sent through a TCP socket connection. The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability to perform .NET deserialization attacks, allowing remote code execution for any unauthenticated user under the context of the SYSTEM account. Successful exploitation results in full administrative control of the target server under the NT AUTHORITY\SYSTEM account. This vulnerability was patched in Build 6985, where the 17001 port is no longer publicly accessible, although it can be accessible locally at 127.0.0.1:17001. Hence, this would still allow for a privilege escalation vector if the server is compromised as a low-privileged user.
c00513d64b0afbcf82cfd8c3569e9b9bd32c506402e79960d11808c409ea5c44
This Metasploit module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only supports Exchange Server 2019. These vulnerabilities were patched in November 2022.
52e94b2539eeb923ed6dfcf33bf21788d037db18208e166670e34916d20844dd
Microsoft SharePoint Server 2019 remote code execution exploit.
46e9d1239eeb594d08bb2032164a87b9a5b13bfc22da02cdddd6ca552f3b5850
SmarterMail build version 6985 suffers from a remote code execution vulnerability.
03a34ec5b65f814667108d5769e315ba381562b01bceb44b9f6931123cc94443
A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker to execute code within the context of the SharePoint application service. The privileges in this execution context are determined by the account that is specified when SharePoint is installed and configured. The vulnerability is related to a failure to validate the source of XML input data, leading to an unsafe deserialization operation that can be triggered from a page that initializes either the ContactLinksSuggestionsMicroView type or a derivative of it. In a default configuration, a Domain User account is sufficient to access SharePoint and exploit this vulnerability.
34f2633fdb04b0ab14dd5a0aedaf3e5d3b9e387d4d8619fbdd31dabb809602b6
This Metasploit module exploits a vulnerability within SharePoint and its .NET backend that allows an attacker to execute commands using specially crafted XOML data sent to SharePoint via the Workflows functionality.
583c7dc9e2c88b3f3622ee79ae7bc09a2e63d8641d172496c3143a024bc22425
A vulnerability exists within Microsoft's SQL Server Reporting Services which can allow an attacker to craft an HTTP POST request with a serialized object to achieve remote code execution. The vulnerability is due to the fact that the serialized blob is not signed by the server.
6a7a492f2dc70d4a79f4f4220d5e1a617458fbab09046134c7b6d7f120a2b5aa
TechSmith Camtasia versions 7 and 8 suffer from a cross site scripting vulnerability.
0da3668d93c5d907fcfe6b8abc0ab9b5251abb5997b3d5d0d8042ce947378c29
This Metasploit module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This Metasploit module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used.
138b5061095c157ac1ee1b8954ca08cb7b70e4dd78274f3ac703d12404ff91b1
This Metasploit module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This Metasploit module has been tested successfully on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in November, 2013.
d0dbf161cbc3db6f711c5aade3b3b43f7a5e9f4d7399cf1ba132b40664e9a097
Gleamtech FileVista / FileUltimate version 4.6 suffers from a directory traversal vulnerability.
109f5ca5f5be84fd82191d8a0fbff91cbb160e954b6e4083b398af37397fc8ba
FCKEditor version 2.6.8 ASP version suffers from a file upload protection bypass.
139ccad597b02f049b3b2b0129bd2dd23c86df34ebff98c04ada72b76409a1d8
CK Finder version 2.3 and FCKEditor version 2.6.8 allow uploads of malicious swf files that can allow for cross site scripting attacks.
d82a591cc39f84f739a5883f7788b375ddde2f6568df00ff6cbe8a116ba4e460
Microsoft IIS suffers from a short file/folder name disclosure vulnerability when handling tilde characters. The .NET framework may also suffer from a denial of service condition relating to the handling of tilde. Proof of concept scanner included.
ac7e17676655fc32991058e316c32da4c4a71a9100a0f1c88e9530581b4638c8
Bugzilla Security Advisory - Bugzilla versions 3.5.3 to 3.6.8, 3.7.1 to 4.0.5, and 4.1.1 to 4.2 suffer from an authorized access vulnerability. Bugzilla versions 2.17.4 to 3.6.8, 3.7.1 to 4.0.5, and 4.1.1 to 4.2 suffer from a cross site scripting vulnerability.
cd5bcb16d9fc77f836d09c3e0255fb95fd2cfe29cc6147822f65c77d60475b15
This is a proof of concept denial of service exploit for Adobe Reader / Acrobat 10.0.1.
f4707181a5488c9a9c04dd3216eef79a7d475b24d554758aac8d2f6d346f71c2
Douran Portal version 3.9.7.8 suffers from a file download / source code disclosure vulnerability.
05de5c3083ad1234fda02cbcc818d3263aeb88c4dea387ee5fc84d20f85ef3f7
IIS 5 suffers from an authentication bypass vulnerability.
37ea748726abfdcf90c5f620168c130aaee2fc345aa57be4c08c7f6c6dc47a6a
Whitepaper called Cross Site URL Hijacking by using Error Object in Mozilla Firefox.
993115eaca328415779f0ad41ec21241e1acdc72bd095710c3cc2939a0d118f5
Whitepaper called Improve File Uploaders' Protections. It focuses on Windows-based web applications.
803f2abcacda9201f41388593ce11f07255874a6d23932ff67d843faf023b0fe
Whitepaper called Finding vulnerabilities in YaFtp version 1.0.14.
df7b6114136d60935a464739865eac6e7866ddee528d58b47d356fb5c6881b15
Microsoft IIS servers suffer from a semi-colon bug where any file can be executed as an Active Server Page.
443f3fbb36e323e5d66ae72c42458f7d1d061375232ceaaa360f5e395e9bc143
Whitepaper called ASP and JSP security. Written in Persian.
9f0786137b295e197529b0f6c2c803c2290fb6965060132823b5ad6518989140
The Web Application Security Consortium Glossary. Written in Persian.
9036a7e9a5f9f88b2d3cf365665a8b639cffe135d76365a82735b41f7a1eb967
Hosting Controller version 6.1 Hotfix (versions 3.2 and below) suffer from flaws that allow an attacker the ability to gain reseller privileges and administrative privileges.
c29498cc33bfddaabd14004ef369823d808759f1e695df756330be008e94b882