This Metasploit module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance. The first is an authentication bypass vulnerability via a file delete in logoff.cgi which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). The second is a cmd injection flaw using the timezone parameter in the admin_sys_time.cgi interface (CVE-2016-7547).
035399021ac947492b961a04ac25a5a12f67bebc47e9858ba91b9e72dfccdc17This Metasploit module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an attacker to dynamically execute JavaScript code on the server side using an eval. Note that the code uses a '\x2f' character so that we hit the match on the regex.
ee20d372ed0f1e30bd8d9b8a767eee792e35e7aba086370b04a670a286abf66eThis is an exploit against Samsung Security Manager that bypasses the patch in CVE-2015-3435 by exploiting the vulnerability against the client side. This exploit has been tested successfully against IE, FireFox and Chrome by abusing a GET request XSS to bypass CORS and reach the vulnerable PUT. Finally, a traversal is used in the PUT request to upload the code just where we want it and gain Remote Code Execution as SYSTEM.
73f23908956d6ea94bcc26b81f8a3497f76a508c71653023ffa4e3ff18b4779eDell SonicWall Scrutinizer versions 11.0.1 and below setUserSkin/deleteTab SQL injection / remote code execution exploit that leverages a vulnerability found by Brandon Perry in July of 2014.
6dc759bc14a238d30a49e98bea0afabd99f1ed4bda69fec060f0fc09e8cf5e1aThis Metasploit module exploits a directory traversal vulnerability in ATutor on an Apache/PHP setup with display_errors set to On, which can be used to allow us to upload a malicious ZIP file. On the web application, a blacklist verification is performed before extraction, however it is not sufficient to prevent exploitation. You are required to login to the target to reach the vulnerability, however this can be done as a student account and remote registration is enabled by default. Just in case remote registration isn't enabled, this module uses 2 vulnerabilities in order to bypass the authentication.
785e70dc713dbe9859a24caed94df37a4548874034fcd9af2cb5fcfe2e29d3b8Cogent Datahub versions 7.3.9 and below suffer from a gamma script elevation of privilege vulnerability.
2ae65153dc3e6b35a12d5c12ec5b362b36f6d464768f9bdd2c17bc2d18c1e488ATutor LMS versions 2.2.1 and below cross site request forgery remote code execution exploit that leverages install_modules.php.
a2979fb7ec37494a903eb30ee43ad91332dca8b48a2bc6b4adfe613fa9fc6001This Metasploit module exploits a SQL Injection vulnerability and an authentication weakness vulnerability in ATutor. This essentially means an attacker can bypass authentication and reach the administrators interface where they can upload malicious code. You are required to login to the target to reach the SQL Injection, however this can be done as a student account and remote registration is enabled by default.
a6c389a060af6250a11b90dc368c3767a38101c233bf56de262525913aae7d39This Metasploit module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM.
0dd4b2592fada413038b4c9f336ee7ca63693bbb79a1842a8646d6ac30bff4dfThis Metasploit module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM. Authentication is not required to exploit this vulnerability.
2ffb837bd56e22b7a4670bff61370cd18bac27e5c719ed050224b17709ad6f2eThis Metasploit module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager 6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set the 'username' attribute before authentication. The second problem is that the settings-new.jsp file will only check the 'username' attribute before authorizing the 'uploadFile' action, which can be exploited and allows the attacker to upload a fake xls host list file to the server, and results in arbitrary code execution under the context of SYSTEM. Depending on the installation, by default the Change Advisor web server is listening on port 48080 for an express install. Otherwise, this service may appear on port 8080. Solarwinds has released a fix for this vulnerability as FSM-v6.6.5-HotFix1.zip. You may download it from the module's References section.
2317dc92c6f139454e3f1f332df164d1f95a0522a4c134a535971f37a15fb0d2This Metasploit module exploits a stack-based buffer overflow vulnerability in versions 4.3.2.0 and below of Irfanview's JPEG2000.dll plugin. This exploit has been tested on a specific version of irfanview (v4.3.2), although other versions may work also. The vulnerability is triggered via parsing an invalid qcd chunk structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon and drag/drop the file into Irfanview\'s window. An egg hunter is used for stability.
c5cce711dbd4abe77f358a5360b9fd21367c38e3811ab24c191fb5a02cb79609This Metasploit module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for attacks against Korean based organizations. Specifically, this issue occurs when indexing an array using an arbitrary value, memory can be referenced and later executed. Taking advantage of this issue does not rely on heap spraying as the vulnerability can also be used for information leakage. Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and is very reliable.
e26bbead67100b455a3fddb8cfcf7df0baddef6b4fbc68f4cc261a2c4dea9972Useresponse versions 1.0.2 and below suffer from a backdoor account, cross site request forgery, and code execution vulnerabilities. Full exploit provided.
1e595bde09d53da1af5b8c9a1f80c9232d1dcaea0fb89a038ec47ceab924e6c0XM Easy Personal FTP Server version 5.30 and below remote format string write4 exploit with a connect back shell.
1c58ef6dea83e7940848c6463d66d3113944a2871d92175d52108a30c4cb9927This Metasploit module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially crafted format string specifier as a username. The crafted username is sent to to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled exception message. When using the meterpreter payload, the process will never die, allowing for continuous exploitation.
8ca8af4598071a83d2552f14b027f3fdb8f361c95b01bacf03d39857c306caeaThis Metasploit module exploits an arbitrary code injection vulnerability in the chat module that is part of Active Collab by abusing a preg_replace() using the /e modifier and its replacement string using double quotes. The vulnerable function can be found in activecollab/application/modules/chat/functions/html_to_text.php.
dc407149c6ca0f8de287ff88144c5d975efe9da8376d1ec83d0a3d2bd4d18f90This Metasploit module exploits a stack buffer overflow in CyberLink Power2Go version 8.x. The vulnerability is triggered when opening a malformed p2g file containing an overly long string in the 'name' attribute of the file element. This results in overwriting a structured exception handler record.
130e60095a57a3b069f09bfa02ddc5fe4743b86427ffcaf33f1f4cc77609b845This Metasploit module exploits an uninitialized variable vulnerability in the Annotation Objects ActiveX component. The activeX component loads into memory without opting into ALSR so this module exploits the vulnerability against windows Vista and Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX points to part of the ROP chain in a heap chunk and the calculated call will hit the pivot in a separate heap chunk. This will take some time in the users browser.
d1cef6f9fc00e9c87f66184e541a23b487e22d0bf005602e5a91c795be80bb5eOpen Conference Systems versions 2.3.4 and below, Open Journal Systems version 2.3.6 and below and Open Harvester Systems versions 2.3.1 and below remote code execution exploit.
c8514bceee7ade59cbec79ac89af4009e9637eb3d5dcbf7b21c50429755f0ec6Docebo LMS versions 4.0.4 and below suffer from remote SQL injection and code execution vulnerabilities.
e46315812d5b95c6f37a97b202851f6750bba6797235113fb00891f28b0a59b7This Metasploit module exploits an arbitrary command execution vulnerability in Family Connections 2.7.1. It's in the dev/less.php script and is due to an insecure use of system(). Authentication isn't required to exploit the vulnerability but register_globals must be set to On.
492a4aefa4e8a2833c0cb853cbcf7fa99c103169dba1753b92cc4b086ece66f4Family Connections CMS versions 2.5.0 through 2.7.1 remote command execution exploit.
7b902ce4491808e2e279cc0d6b557601481e9eaed0d3dcfb191a415b83f32004Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows remote attackers to execute arbitrary code via a long strFontName parameter to the DrawText method. The victim will first be required to trust the publisher Viscom Software. This Metasploit module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.
902c4d348e0eb89f02c1aff016e36bb2f309e424dad941285a19cf704212a739This Metasploit module exploits a stack based buffer overflow in the Active control file ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles() method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. The victim will first be required to trust the publisher Viscom Software. This Metasploit module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.
ff98b933de5295139e90a1985be85c50e19987cebb121f5874c995e6d229d3ee
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed