what you don't know can hurt you
Showing 51 - 75 of 173 RSS Feed

Files from sinn3r

Email addressx90.sinner at gmail.com
First Active2009-12-13
Last Active2019-05-01
Java Applet JMX Remote Code Execution
Posted Jan 11, 2013
Authored by unknown, egypt, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.

tags | exploit, java, arbitrary
advisories | CVE-2013-0422
MD5 | 30886a5fe5a8c62f2f65b5d9af2cfd89
Microsoft Internet Explorer Option Element Use-After-Free
Posted Jan 10, 2013
Authored by Ivan Fratric, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user.

tags | exploit, javascript, code execution
advisories | CVE-2011-1996
MD5 | e7e7b307610f2a1afc6c8cf5ccac5a68
Microsoft Internet Explorer CButton Object Use-After-Free
Posted Jan 2, 2013
Authored by Eric Romang, sinn3r, juan vazquez, mahmud ab rahman | Site metasploit.com

This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

tags | exploit, arbitrary, code execution
advisories | CVE-2012-4792
MD5 | 96b9a317ae17d4372b4bc3e0e39e9edf
Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free
Posted Dec 31, 2012
Authored by Eric Romang, sinn3r, juan vazquez, mahmud ab rahman | Site metasploit.com

This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

tags | exploit, arbitrary, code execution
advisories | CVE-2012-4792
MD5 | ded95fac262cac303634ac39e4211d5a
Netwin SurgeFTP Remote Command Execution
Posted Dec 24, 2012
Authored by sinn3r, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console.

tags | exploit, web
MD5 | f28d69c21e4ade38f76954d490bd4b09
Nagios XI Network Monitor Graph Explorer Component Command Injection
Posted Dec 9, 2012
Authored by sinn3r, Daniel Compton | Site metasploit.com

This Metasploit module exploits a vulnerability found in Nagios XI Network Monitor's component 'Graph Explorer'. An authenticated user can execute system commands by injecting it in several parameters, such as in visApi.php's 'host' parameter, which results in remote code execution.

tags | exploit, remote, php, code execution
advisories | OSVDB-83552
MD5 | 4dba1eaf8d7ba8ab035861a5c902e0d3
FreeFloat FTP Server Arbitrary File Upload
Posted Dec 8, 2012
Authored by sinn3r, juan vazquez | Site metasploit.com

This Metasploit module abuses multiple issues in FreeFloat: 1. No credential is actually needed to login; 2. User's default path is in C:\, and this cannot be changed; 3. User can write to anywhere on the server's file system. As a result of these poor implementations, a malicious user can just log in and then upload files, and let WMI (Management Instrumentation service) to execute the payload uploaded.

tags | exploit
MD5 | b7e78216f85d094b2c82750eb517f640
Maxthon3 about:history XCS Trusted Zone Code Execution
Posted Dec 8, 2012
Authored by Roberto Suggi Liverani, sinn3r, juan vazquez | Site metasploit.com

Cross Context Scripting (XCS) is possible in the Maxthon about:history page. Injection in such privileged/trusted browser zone can be used to modify configuration settings and execute arbitrary commands. Please note this module only works against specific versions of XCS. Currently, we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.

tags | exploit, arbitrary
MD5 | 9adb9c84757f7aa512c1c9c9fecd2adc
Splunk 5.0 Custom App Remote Code Execution
Posted Dec 8, 2012
Authored by sinn3r, juan vazquez, [at]marcwickenden | Site metasploit.com

This Metasploit module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the 'script' search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of "admin:changeme", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. This Metasploit module has only been tested successfully against Splunk 5.0.

tags | exploit, web, arbitrary, root, perl, python
systems | linux, windows
MD5 | 66d1782d500464f50d0470fe9f4bb37a
Oracle MySQL For Microsoft Windows MOF Execution
Posted Dec 7, 2012
Authored by Kingcope, sinn3r | Site metasploit.com

This Metasploit modules takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers (due to the use of a .mof file). This may result in arbitrary code execution under the context of SYSTEM. However, please note in order to use this module, you must have a valid MySQL account on the target machine.

tags | exploit, arbitrary, code execution
systems | windows
advisories | CVE-2012-5613
MD5 | b018f0d01c159599ccc86e730647c227
Tectia SSH USERAUTH Change Request Password Reset
Posted Dec 5, 2012
Authored by Kingcope, sinn3r, bperry | Site metasploit.com

This Metasploit module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.

tags | exploit, remote, root
systems | unix
MD5 | 99b842280fc8ec78e6d006aec1abdf3a
BlazeVideo HDTV Player Pro 6.6 Filename Handling
Posted Nov 30, 2012
Authored by sinn3r, b33f | Site metasploit.com

This Metasploit module exploits a vulnerability found in BlazeVideo HDTV Player's filename handling routine. When supplying a string of input data embedded in a .plf file, the MediaPlayerCtrl.dll component will try to extract a filename by using PathFindFileNameA(), and then copies whatever the return value is on the stack by using an inline strcpy. As a result, if this input data is long enough, it can cause a stack-based buffer overflow, which may lead to arbitrary code execution under the context of the user.

tags | exploit, overflow, arbitrary, code execution
advisories | OSVDB-80896
MD5 | 18479af99cd876aea7ca8d3a6f0c35fb
Network Shutdown Module 3.21 Remote PHP Code Injection
Posted Nov 29, 2012
Authored by sinn3r, h0ng10 | Site metasploit.com

This Metasploit module exploits a vulnerability in lib/dbtools.inc which uses unsanitized user input inside a eval() call. Additionally the base64 encoded user credentials are extracted from the database of the application. Please note that in order to be able to steal credentials, the vulnerable service must have at least one USV module (an entry in the "nodes" table in mgedb.db).

tags | exploit
advisories | OSVDB-83199
MD5 | b9d7c9e575b61b01ae81c51b7ed1e571
Narcissus Image Configuration Passthru
Posted Nov 21, 2012
Authored by dun, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in Narcissus image configuration function. This is due to the backend.php file not handling the $release parameter properly, and then passes it on to the configure_image() function. In this function, the $release parameter can be used to inject system commands for passthru (a PHP function that's meant to be used to run a bash script by the vulnerable application), which allows remote code execution under the context of the web server.

tags | exploit, remote, web, php, code execution, bash
MD5 | 7e5ccde71d249ff814c86c697a3cde11
Invision IP.Board 3.3.4 unserialize() PHP Code Execution
Posted Nov 13, 2012
Authored by EgiX, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a php unserialize() vulnerability in Invision IP.Board versions 3.3.4 and below which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the '/admin/sources/base/core.php' script, which is called with user controlled data from the cookie. The exploit abuses the __destruct() method from the dbMain class to write arbitrary PHP code to a file on the Invision IP.Board web directory. The exploit has been tested successfully on Invision IP.Board 3.3.4.

tags | exploit, web, arbitrary, php
advisories | CVE-2012-5692, OSVDB-86702
MD5 | ffe6e26c45e6ffa78cb248d5a282a6c0
HP Intelligent Management Center UAM Buffer Overflow
Posted Nov 2, 2012
Authored by sinn3r, juan vazquez, e6af8de8b1d4b2b6d5ba2610cbf9cd38 | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in HP Intelligent Management Center UAM. The vulnerability exists in the uam.exe component, when using sprint in a insecure way for logging purposes. The vulnerability can be triggered by sending a malformed packet to the 1811/UDP port. The module has been successfully tested on HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).

tags | exploit, remote, overflow, udp
systems | windows
advisories | OSVDB-85060
MD5 | 7daae12cf2d7c7344af342c83cabee66
Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow
Posted Nov 1, 2012
Authored by shinnai, sinn3r, b33f, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in Aladdin Knowledge System's ActiveX component. By supplying a long string of data to the ChooseFilePath() function, a buffer overflow occurs, which may result in remote code execution under the context of the user.

tags | exploit, remote, overflow, code execution, activex
advisories | OSVDB-86723
MD5 | 40789844caa3e2d6a9f865696f2155f6
ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection
Posted Oct 28, 2012
Authored by egypt, sinn3r, xistence | Site metasploit.com

This Metasploit module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page, which results in remote code execution under the context of SYSTEM in Windows; or as the user in Linux. Authentication is not required in order to exploit this vulnerability.

tags | exploit, remote, code execution, sql injection
systems | linux, windows
MD5 | d3ae3405d31d907b6c62f95cb8355fee
AjaXplorer checkInstall.php Remote Command Execution
Posted Oct 15, 2012
Authored by David Maciejak, Julien CAYSSOL, sinn3r | Site metasploit.com

This Metasploit module exploits an arbitrary command execution vulnerability in the AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to 2.6 are vulnerable.

tags | exploit, arbitrary, php
advisories | OSVDB-63552
MD5 | 6d3a49567c90e421e8c55b2b705e2420
Project Pier Arbitrary File Upload
Posted Oct 12, 2012
Authored by BlackHawk, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in Project Pier. The application's uploading tool does not require any authentication, which allows a malicious user to upload an arbitrary file onto the web server, and then cause remote code execution by simply requesting it. This Metasploit module is known to work against Apache servers due to the way it handles an extension name, but the vulnerability may not be exploitable on others.

tags | exploit, remote, web, arbitrary, code execution
advisories | OSVDB-85881
MD5 | 01e3503737951dd2701001ba7f862b15
PhpTax pfilez Parameter Exec Remote Code Injection
Posted Oct 8, 2012
Authored by sinn3r, Jean Pascal Pereira | Site metasploit.com

This Metasploit module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng() function in drawimage.php does not properly handle the pfilez parameter, which will be used in a exec() statement, and then results in arbitrary remote code execution under the context of the web server. Please note: authentication is not required to exploit this vulnerability.

tags | exploit, remote, web, arbitrary, php, code execution
MD5 | 67557b07d0a3a9a2681bb5d846b2a463
Samba SetInformationPolicy AuditEventsInfo Heap Overflow
Posted Sep 28, 2012
Authored by unknown, Blasty, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module triggers a vulnerability in the LSA RPC service of the Samba daemon because of an error on the PIDL auto-generated code. Making a specially crafted call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to trigger a heap overflow and finally execute arbitrary code with root privileges. The module uses brute force to guess the system() address and redirect flow there in order to bypass NX. The start and stop addresses for brute forcing have been calculated empirically. On the other hand the module provides the StartBrute and StopBrute which allow the user to configure his own addresses.

tags | exploit, overflow, arbitrary, root
advisories | CVE-2012-1182, OSVDB-81303
MD5 | 9fe748ff6a579ca40cd64088d23c1d29
Auxilium RateMyPet Arbitrary File Upload
Posted Sep 25, 2012
Authored by sinn3r, DaOne | Site metasploit.com

This Metasploit module exploits a vulnerability found in Auxilium RateMyPet's. The site banner uploading feature can be abused to upload an arbitrary file to the web server, which is accessible in the 'banner' directory, thus allowing remote code execution.

tags | exploit, remote, web, arbitrary, code execution
advisories | OSVDB-85554
MD5 | c54aeab74b620d49edfe685af84c9397
Microsoft Internet Explorer execCommand Use-After-Free
Posted Sep 17, 2012
Authored by Eric Romang, sinn3r, juan vazquez, binjo | Site metasploit.com

This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it.

tags | exploit
advisories | OSVDB-85532
MD5 | 377c4b7a481946f0167f08116e969e05
Oracle BTM FlashTunnelService Remote Code Execution
Posted Sep 15, 2012
Authored by rgod, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits abuses the FlashTunnelService SOAP web service on Oracle Business Transaction Management 12.1.0.7 to upload arbitrary files, without authentication, using the WriteToFile method. The same method contains a directory traversal vulnerability, which allows to upload the files to arbitrary locations. In order to execute remote code two techniques are provided. If the Oracle app has been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web root. If a new Domain has been used to deploy the Oracle application, the Windows Management Instrumentation service can be used to execute arbitrary code. Both techniques has been successfully tested on default installs of Oracle BTM 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are provided, but the user can configure the traversal depth using the DEPTH option.

tags | exploit, remote, web, arbitrary, root
systems | windows
advisories | OSVDB-85087
MD5 | d44ccc8262b6ee1b99a8b92df7a65c36
Page 3 of 7
Back12345Next

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close