accept no compromises
Showing 1 - 25 of 293 RSS Feed

Files from juan vazquez

First Active2011-06-27
Last Active2015-12-14
Jenkins CLI RMI Java Deserialization
Posted Dec 14, 2015
Authored by juan vazquez, Christopher Frohoff, Louis Sato, William Vu, Wei Chen, Steve Breen, Dev Mohanty | Site metasploit.com

This Metasploit module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. Authentication is not required to exploit this vulnerability.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2015-8103
MD5 | 50e8b60db08ec6dd6be8f13764a3e113
HP SiteScope DNS Tool Command Injection
Posted Oct 10, 2015
Authored by juan vazquez, Charles Riggs, Kirk Hayes | Site metasploit.com

This Metasploit module exploits a command injection vulnerability discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26 and 11.30). The vulnerability exists in the DNS Tool allowing an attacker to execute arbitrary commands in the context of the service. By default, HP SiteScope installs and runs as SYSTEM in Windows and does not require authentication. This vulnerability only exists on the Windows version. The Linux version is unaffected.

tags | exploit, arbitrary
systems | linux, windows
MD5 | a68f176530f83d6612dcef946b768169
MS15-078 Microsoft Windows Font Driver Buffer Overflow
Posted Sep 17, 2015
Authored by juan vazquez, Mateusz Jurczyk, Cedric Halbronn, Eugene Ching | Site metasploit.com

This Metasploit module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed on the july data leak. This Metasploit module has been tested successfully on vulnerable builds of Windows 8.1 x64.

tags | exploit, overflow
systems | windows
advisories | CVE-2015-2426, CVE-2015-2433
MD5 | a7ff9bf552596c6dfd147beac70ba192
Adobe Flash opaqueBackground Use After Free
Posted Jul 13, 2015
Authored by sinn3r, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as an Use After Free while handling the opaqueBackground property 7 setter of the flash.display.DisplayObject class. This Metasploit module is an early release tested on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194, windows 8.1, Firefox and Adobe Flash 18.0.0.203, Windows 8.1, Firefox and Adobe Flash 18.0.0.160, and Windows 8.1, Firefox and Adobe Flash 18.0.0.194

tags | exploit
systems | windows, 7
advisories | CVE-2015-5122
MD5 | 46fe95b7200053c30eae55ca1369b78f
Adobe Flash Player ByteArray Use After Free
Posted Jul 8, 2015
Authored by sinn3r, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as a Use After Free while handling ByteArray objects. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.

tags | exploit
systems | linux, windows, 7
advisories | CVE-2015-5119
MD5 | dc11e64b010a4d6231a64eb427ed64f5
Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow
Posted Jul 3, 2015
Authored by juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a buffer overflow on Adobe Flash Player when handling nellymoser encoded audio inside a FLV video, as exploited in the wild on June 2015. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160, Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466. Note that this exploit is effective against both CVE-2015-3113 and the earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression to the same root cause as CVE-2015-3043.

tags | exploit, overflow, root
systems | linux, windows, ubuntu, 7
advisories | CVE-2015-3043, CVE-2015-3113
MD5 | cabe863f2b1b9fd7e8570e18144bfce0
Adobe Flash Player Drawing Fill Shader Memory Corruption
Posted Jun 27, 2015
Authored by Chris Evans, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188, Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.

tags | exploit
systems | linux, windows, 7
advisories | CVE-2015-3105
MD5 | 27d8201ab2355b45ec75bb2d93ef2629
Adobe Flash Player ShaderJob Buffer Overflow
Posted Jun 19, 2015
Authored by Chris Evans, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after starting the job it's possible to create a buffer overflow condition where the size of the destination buffer and the length of the copy are controlled.

tags | exploit, overflow
advisories | CVE-2015-3090
MD5 | 27e6364d703ca0c934dda145b1becbea
Adobe Flash Player domainMemory ByteArray Use After Free
Posted May 7, 2015
Authored by juan vazquez, temp66, hdarwin, bilou | Site metasploit.com

This Metasploit module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This Metasploit module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.

tags | exploit
systems | windows, 7
advisories | CVE-2015-0359
MD5 | 8127f22354b9daaa2681b4e32dbb870d
Group Policy Script Execution From Shared Resource
Posted May 7, 2015
Authored by juan vazquez, Sam Bertram | Site metasploit.com

This is a general-purpose module for exploiting systems with Windows Group Policy configured to load VBS startup/logon scripts from remote locations. This Metasploit module runs a SMB shared resource that will provide a payload through a VBS file. Startup scripts will be executed with SYSTEM privileges, while logon scripts will be executed with the user privileges. Have into account which the attacker still needs to redirect the target traffic to the fake SMB share to exploit it successfully. Please note in some cases, it will take 5 to 10 minutes to receive a session.

tags | exploit, remote
systems | windows
MD5 | 39c13824802f897dc8c52c9b9257945c
Adobe Flash Player NetConnection Type Confusion
Posted May 7, 2015
Authored by juan vazquez, temp66, Natalie Silvanovich | Site metasploit.com

This Metasploit module exploits a type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and finally accomplish remote code execution. This Metasploit module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305.

tags | exploit, remote, arbitrary, code execution
systems | windows, 7
advisories | CVE-2015-0336
MD5 | 0dad42be72f3bc6452e886b97b0380e7
Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory
Posted May 1, 2015
Authored by Nicolas Joly, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits an uninitialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption, which can be abused to access and corrupt memory. This Metasploit module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 15.0.0.189.

tags | exploit
systems | windows, 7
advisories | CVE-2014-8440
MD5 | 6835f44cfae092b34807fbaa978ebdc1
Adobe Flash Player copyPixelsToByteArray Integer Overflow
Posted Apr 19, 2015
Authored by Chris Evans, Nicolas Joly, juan vazquez, hdarwin | Site metasploit.com

This Metasploit module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This Metasploit module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145 and 14.0.0.125.

tags | exploit, overflow
systems | windows, 7
advisories | CVE-2014-0556
MD5 | 4cff6de22707258e03d6b5a94098eea8
Adobe Flash Player casi32 Integer Overflow
Posted Apr 10, 2015
Authored by juan vazquez, bilou | Site metasploit.com

This Metasploit module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as domainMemory for the current application domain. This Metasploit module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167.

tags | exploit, overflow
systems | windows, 7
advisories | CVE-2014-0569
MD5 | 1a3b9845d08a07ae03794bce0519f44c
Adobe Flash Player ByteArray With Workers Use After Free
Posted Mar 30, 2015
Authored by juan vazquez, temp66, hdarwin | Site metasploit.com

This Metasploit module exploits an use after free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, who can fill the memory and notify the main thread to corrupt the new contents. This Metasploit module has been tested successfully on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.296.

tags | exploit
systems | windows, 7
advisories | CVE-2015-0313
MD5 | 607a862ce32fda6ff085d1672dae217b
WordPress W3 Total Cache PHP Code Execution
Posted Mar 24, 2015
Authored by H D Moore, juan vazquez, temp66, Christian Mehlmauer | Site metasploit.com

This Metasploit module exploits a PHP Code Injection vulnerability against WordPress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically find or bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on WordPress must be unchecked for successful exploitation. This Metasploit module has been tested against WordPress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.

tags | exploit, arbitrary, php
systems | linux, ubuntu
advisories | CVE-2013-2010, OSVDB-92652
MD5 | be8ab3b5728c9890eeda2592ba90ef4e
Microsoft Windows Shell SMB LNK Code Execution
Posted Mar 12, 2015
Authored by juan vazquez, Michael Heerklotz | Site metasploit.com

This Metasploit module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the target. This Metasploit module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed.

tags | exploit
systems | windows
advisories | CVE-2015-0096
MD5 | 6867137c30c8c4ec17aee86edb43bfcc
Microsoft Windows Shell File Format LNK Code Execution
Posted Mar 12, 2015
Authored by juan vazquez, Michael Heerklotz | Site metasploit.com

This Metasploit module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This Metasploit module creates the required files to exploit the vulnerability. They must be uploaded to an UNC path accessible by the target. This Metasploit module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed.

tags | exploit
systems | windows
advisories | CVE-2015-0096
MD5 | 30eda0343234a7a6ea98fc3fa74cc3e0
ElasticSearch Search Groovy Sandbox Bypass
Posted Mar 12, 2015
Authored by juan vazquez, Cameron Morris, Darren Martyn | Site metasploit.com

This Metasploit module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName to reference arbitrary classes. It can be used to execute arbitrary Java code. This Metasploit module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.

tags | exploit, java, remote, arbitrary, code execution
systems | linux, ubuntu
advisories | CVE-2015-1427
MD5 | 42040a547553fc1e246d7e93902fd842
Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free
Posted Mar 12, 2015
Authored by juan vazquez, temp66, hdarwin | Site metasploit.com

This Metasploit module exploits an use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This Metasploit module has been tested successfully on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235.

tags | exploit
systems | windows, 7
advisories | CVE-2015-0311
MD5 | 55a381eaeb0b9b7028403d0c1e0e78c3
HP Client Automation Command Injection
Posted Feb 24, 2015
Authored by juan vazquez, Ben Turner | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on HP Client Automation, distributed actually as Persistent Systems Client Automation. The vulnerability exists in the Notify Daemon (radexecd.exe), which doesn't authenticate execution requests by default neither. This Metasploit module has been tested successfully on HP Client Automation 9.00 over Windows 2003 SP2 and CentOS 5.

tags | exploit
systems | linux, windows, centos
advisories | CVE-2015-1497
MD5 | e1cd8a6dcb602d727fa7f4b87b28896f
X360 VideoPlayer ActiveX Control Buffer Overflow
Posted Feb 17, 2015
Authored by Rh0, juan vazquez | Site metasploit.com

This Metasploit module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.

tags | exploit, overflow, arbitrary, activex
MD5 | ccdbee72507f4689f2f29a861de8f106
Java JMX Server Insecure Configuration Java Code Execution
Posted Feb 17, 2015
Authored by Braden Thomas, juan vazquez | Site metasploit.com

This Metasploit module takes advantage a Java JMX interface insecure configuration, which would allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while interfaces with authentication enabled will be vulnerable only if a weak configuration is deployed (allowing to use javax.management.loading.MLet, having a security manager allowing to load a ClassLoader MBean, etc.).

tags | exploit, java, remote, web
MD5 | ba7da3ce98fa7745ef13cb5f3a2d8f9a
MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape
Posted Feb 2, 2015
Authored by juan vazquez, temp66, Henry Li | Site metasploit.com

This Metasploit module abuses a process creation policy in Internet Explorer's sandbox, specifically the Microsoft Remote Desktop Services Web Proxy IE one, which allows the attacker to escape the Protected Mode, and execute code with Medium Integrity. At the moment, this module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This Metasploit module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11.

tags | exploit, remote, web
systems | windows, 7
advisories | CVE-2015-0016
MD5 | 603be371391e9afbc16e6432a03ab423
Lexmark MarkVision Enterprise Arbitrary File Upload
Posted Jan 12, 2015
Authored by Andrea Micalizzi, juan vazquez | Site metasploit.com

This Metasploit module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1. A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated attacker to upload arbitrary files, including arbitrary JSP code. This Metasploit module has been tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.

tags | exploit, arbitrary, code execution
systems | windows
advisories | CVE-2014-8741
MD5 | cd1e925244f475f400459c44ff459365
Page 1 of 12
Back12345Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close