This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.
81346e7020afd7e94a6d9b253a4b2b5b1c2eba12306e57cf746fb11c43f51e4b
A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\SYSTEM.
9240ec8d6ca5d5eb386ea5fd8d70c4669a8c2b74388b4cb929f23fc1508d1dd8
PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This Metasploit module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.
70cf2a666368f1670d184b2da81850b9fd8aabe74acc4c71858fb6c372248cc8
A vulnerability existed in the PowerShellEmpire server prior to commit f030cf62 which would allow an arbitrary file to be written to an attacker controlled location with the permissions of the Empire server. This exploit will write the payload to /tmp/ directory followed by a cron.d file to execute the payload.
36491dd12b6c42a1f65d906a4cbc99b3799866ff52ce18af79b2b9c27d2497d6
This Metasploit module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed.
b2890029452aac72aaed13d60918c04fee0c15114a063c3d0514f8f6ea9155b1
This Metasploit module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This Metasploit module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.
41b7d988b197d4b07886ef236a76dda4482ef1d09d5d87eb2dbc440af8850897
This Metasploit module exploits the code injection flaw known as shellshock which leverages specially crafted environment variables in Bash. This exploit specifically targets Pure-FTPd when configured to use an external program for authentication.
d1353f15ae7ed9aea8cd6b1644f5fbeada6291338684996bc3b3a388a0f3b2ec
A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process.
c3dce854c36c28e545304c300892721f5fed0a84228f0ce24204cc34d072d2a6
This Metasploit module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a listoverridecount field can be modified to treat one structure as another. This bug was originally seen being exploited in the wild starting in April 2014. This Metasploit module was created by reversing a public malware sample.
dc312c58b345cdc30586c860d412b91fcac1d29d8b039194c3e389f62ccf5683
This Metasploit module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This Metasploit module has been tested successfully on Windows 7 SP0 and Windows 7 SP1.
181f4cfbdc09dfbd74b82a9c5495d3a4978f7ba84e532a43bc1638ebaee3ad62
This Metasploit module exploits a stack buffer overflow in the db_netserver process which is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.
7e06bdae955716ffa265faef6d8a8657fd4b8897f76d0c56b6eba227f9c8cabd
This Metasploit module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell.
4e828bd76fd9d92b7193f91ff6cdf47c21ab888c351730fc0b672b1bdfa5d5fb
This Metasploit module exploits a vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This Metasploit module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases stackpivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP.
7de29ccbc4fc0af57c3834340b87fbe2ce27419e8888190bc1a4620767590552
This Metasploit module uses the Jenkins Groovy script console to execute OS commands using Java.
d399ceb32f8d20399dd647bec028b96de469f3d117d253352dc348ede3915dd0
This Metasploit module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console.
d2cfc6fc7d86461f770fda0e4daee3857ea9a4952d95f4921e2a9e92c4b23c57
This Metasploit module exploits a flaw in the SurgeFTP server's web-based administrative console to execute arbitrary commands.
9c5497a6325d67d7f481c7eb716e3d3140096da4260b045df2ab7396b276dad6
This Metasploit module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability.
f6dc1203a74e12170988c31fabd455ab39d26e8231aa917f56967362c0509242
Termineter is a framework written in python to provide a platform for the security testing of smart meters. It implements the C12.18 and C12.19 protocols for communication. Currently supported are Meters using C12.19 with 7-bit character sets. Termineter communicates with Smart Meters via a connection using an ANSI type-2 optical probe with a serial interface.
8c72b50832476f3e05267e7d4f72848ea822e3c27a9f383258782999f96bcc12
This Metasploit module exploits a vulnerability in the XSL parser of the XSL Content Portlet. When Tomcat is present, arbitrary code can be executed via java calls in the data fed to the Xalan XSLT processor. If XSLPAGE is defined, the user must have rights to change the content of that page (to add a new XSL portlet), otherwise it can be left blank and a new one will be created. The second method however, requires administrative privileges.
7495092f0f3708dd15dbc023f72927b1df95d3321e5d2ee8abfac8bf7f05f086
LifeSize Room versions 3.5.3 and 4.7.8 suffer from login bypass and OS command injection vulnerabilities.
1647496bffc74c6edbb34dead3db89188ce281881cefe893983eeac2aac22187
This Metasploit module exploits a vulnerable resource in LifeSize Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize Room is an appliance and thus the environment is limited resulting in a small set of payload options.
bc789e70640c945e6a6f6fa9ba27368f9de27c0090d0ccd409f59ebd6c1e5bd1
SiteScape Forums suffers from a remote TCL injection vulnerability. SiteScape Enterprise Forums version 7 is affected. Other versions may also be affected. Both an advisory and exploit are included in this archive.
7620c4ffc191f14b35ab86f7bddcefbecdaadbde0acf0524ee884952f17bbc37