This Metasploit module exploits a use-after-free vulnerability found in Internet Explorer, specifically in how the browser handles the caret (text cursor) object. In IE's standards mode, the caret handling's vulnerable state can be triggered by first setting up an editable page with an input field, and then we can force the caret to update in an onbeforeeditfocus event by setting the body's innerHTML property. In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write() function, however, mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the same reference to the CCaret object. When the function tries to use this invalid reference to call a virtual function at offset 0x2c, it finally results a crash. Precise control of the freed object allows arbitrary code execution under the context of the user.
ee4538ddb8dd6f77e4bd70d5e7a430e46f6d5d7ff97a0c2c23d04883b7fb837eThis is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This Metasploit module can be used against version 9.0.8112.16446, but not for 9.0.8112.16421. IE 8 requires a different way to trigger the vulnerability, but not currently covered by this module. The issue is specific to the browser's IE7 document compatibility, which can be defined in X-UA-Compatible, and the content editable mode must be enabled. An "onmove" event handler is also necessary to be able to trigger the bug, and the event will be run twice before the crash. The first time is due to the position change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable' object is created during a "SelectAll" command, and this object will be used later on for the crash. The second onmove event seems to be triggered by a InsertButton (or Insert-whatever) command, which is also responsible for the free of object CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and then passes this on to the next functions (GetLineInfo -> QIClassID). When this reference arrives in function QIClassID, an access violation finally occurs when the function is trying to call QueryInterface() with the bad reference, and this results a crash. Successful control of the freed memory may leverage arbitrary code execution under the context of the user. Note: It is also possible to see a different object being freed and used, doesn't always have to be CFlatMarkupPointer.
c9fced33ed8b3ca4912bdf0536174294180b31d03023d16a997c87ccf960f2fdThis Metasploit module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW Server can be used to transfer fax messages without any underlying protocols. To note significant fields in the fax being transferred, like the fax number or the recipient, ActFax data fields can be used. This Metasploit module exploits a buffer overflow in the handling of the @F506 fields due to the insecure usage of strcpy. This Metasploit module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).
d87e539151a571a848fa3efe35cc969a0ff60645c93035d902d039cfcf31fbc7This Metasploit module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW Server can be used to transfer fax messages to the fax server without any underlying protocols. To note significant fields in the fax being transfered, like fax number and recipient, you can use ActFax data fields. @F506,@F605, and @F000 are all data fields that are vulnerable. This has been fixed in a beta version which will not be pushed to release until May 2013.
4a69b08e3f25832796905f1a619e884a1be0ddff4a7741e5aa998ad429b5daaeThis Metasploit module exploits a buffer overflow vulnerability found in the PORT command in Turbo FTP Server versions 1.30.823 and 1.30.826, which results in remote code execution under the context of SYSTEM.
abb8df5bd9e6fe13f397d60912333dbe638be84ba39c6009e9215a03bc909d53This Metasploit module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially crafted format string specifier as a username. The crafted username is sent to to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled exception message. When using the meterpreter payload, the process will never die, allowing for continuous exploitation.
8ca8af4598071a83d2552f14b027f3fdb8f361c95b01bacf03d39857c306caeaIconics GENESIS32 version 9.21.201.01 suffers from an integer overflow vulnerability. The GenBroker service on port 38080 is affected by three integer overflow vulnerabilities while handling opcode 0x4b0, which is caused by abusing the the memory allocations needed for the number of elements passed by the client. This results unexpected behaviors such as direct registry calls, memory location calls, or arbitrary remote code execution. Please note that in order to ensure reliability, this exploit will try to open calc (hidden), inject itself into the process, and then open up a shell session. Also, DEP bypass is supported.
7bae29e02d02057cc61741efd202ae99da696fffbf3d953322faa7fcd5294a22This Metasploit module exploits a vulnerability found in HP Data Protector's OmniInet process. By supplying a long string of data as the file path with opcode '20', a buffer overflow can occur when this data is being written on the stack where no proper bounds checking is done beforehand, which results arbitrary code execution under the context of SYSTEM. This Metasploit module is also made against systems such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR enabled by default.
c300d04fb3ea4183698f9badb47bedde5230f3414ad7738a1e1ab7d7e1be8221This Metasploit module exploits a stack buffer overflow in Magix Musik Maker 16. When opening a specially crafted arrangement file (.mmm) in the application, an unsafe strcpy() will allow you to overwrite a SEH handler. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and might require up to several seconds to receive a shell.
270a3316873b5bc88495642eac3f7de2a3221c8b7aa36519b966bed7c9dff806This Metasploit module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution.
d6e50055a18ef8053fcab8d3dbb3013cea1bef5f64706db8cc621234903f31fbThis Metasploit module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a and QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in one of these 2 applications, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
40169fda292d731fa83423db95f72a9157b704f1e0c735313549ab77c3e54b4eThis Metasploit module exploits a stack buffer overflow in MJM Core Player 2011 When opening a malicious s3m file in this applications, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
b34af7c1a1ed7cf2711905e10f913bce6d4781228c221060be316b6715a150a5This Metasploit module exploits a stack buffer overflow in Wireshark versions 1.4.4 and below. When opening a malicious .pcap file in Wireshark, a stack buffer overflow occurs, resulting in arbitrary code execution. This exploit bypasses DEP and ASLR and works on XP, Vista & Windows 7.
8f106e8404d0b3f4126f6f01b343c0f70315188f1d02c21066e67ef03f0f07b9This Metasploit module exploits a stack buffer overflow in Video Spirit versions 1.70 and below. When opening a malicious project file (.visprj), a stack buffer overflow occurs, resulting in arbitrary code execution. This exploit bypasses DEP and ASLR, and works on XP, Vista & Windows 7.
9e121784ade83adde0ab90ab8fb328d34f02896d4228c84517683929d42c0b44This Metasploit module exploits a stack buffer overflow in Xion Audio Player prior to version 1.0.126. The vulnerability is triggered when opening a malformed M3U file that contains an overly long string. This results in overwriting a structured exception handler record.
b6618a2b52819051d42df306ace385517bd41863a129b2db684203c2451025e3This Metasploit module exploits a stack buffer overflow in Foxit PDF Reader prior to version 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in the Title field. This results in overwriting a structured exception handler record. NOTE: This exploit does not use javascript.
b07f351411d99f75f345a772bc24aa52c70ef746199fb1964b1d843455480d94This Metasploit module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client. When processing the response on a PWD command, a stack based buffer overflow occurs. This leads to arbitrary code execution when a structured exception handler gets overwritten.
507a7c5e70085f277792ad74cc751f09fe88331f586a25388882a96cdbebbda9This Metasploit module exploits a buffer overflow in the Seagull FTP client that gets triggered when the ftp clients processes a response to a LIST command. If the response contains an overly long file/folder name, a buffer overflow occurs, overwriting a structured exception handler.
9941cb1e0eab82770705bd52bcc11e247b265de2b6214cf38bf56899f9ca66c6This Metasploit module exploits a buffer overflow in Gekko Manager ftp client, triggered when processing the response received after sending a LIST request. If this response contains a long filename, a buffer overflow occurs, overwriting a structured exception handler.
1e7f04091422e546c4e127b6c53345bff8d018725ad5fe1491c13b5f22f5072dThis Metasploit module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is triggered when the client connects to a FTP server which sends an overly long directory and filename in response to a LIST command. This will cause an access violation, and will eventually overwrite the saved extended instruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/ sniper was needed to make this one work.
864c13b0bca680072f94df1e362ce6bb00e5d2748d610e1cebd0c43a1709a476This Metasploit module exploits a stack buffer overflow in Odin Secure FTP 4.1, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.
8ecb75c11b4c62e6ce7b842e1892561eaa88009d5a9d93ecdf9fc5bde92a10b0This Metasploit module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro version 4.0.73.274 The overflow gets triggered by sending an overly long filename to the client in response to a LIST command. The LIST command gets issued when doing a preview or when you have just created a new sync profile and allow the tool to see the differences. This will overwrite a structured exception handler and trigger an access violation.
78e1f3656a2efea50a4734c1a2d624b7be11f7525cd7f612e7e4f77465473ac0This Metasploit module exploits a buffer overflow in the LeapFTP 3.0.1 client. This issue is triggered when a file with a long name is downloaded/opened.
f8abfdd204f0ed82b2f476dc9dc0ef13d8d0f1fd66773b87636bd55e7ccf5da4This Metasploit module exploits a buffer overflow in the FileWrangler client that is triggered when the client connects to a FTP server and lists the directory contents, containing an overly long directory name.
95851d121dac72f5b67123647939012f5eb8f8288e71b4bf2e3aba8b78359ec8This Metasploit module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.
8b62f6ce5d0c462f21a4d8c332b770f40f0683dc9cebbc9d6a3825b998832d01
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed