This Metasploit module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1. A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated attacker to upload arbitrary files, including arbitrary JSP code. This Metasploit module has been tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.
1983d15e14382b842439b7a8129d4ce859b00fbd289876ecee0e865564af878c
This Metasploit module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function.
98f844496d43dbf5a1ce7018422d72a76de82b8bafeead5008c67a30054879fd
This Metasploit module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a failure in the CPackage::CreateTempFileName function.
22d50e4cf87dbb4ac9f6d51a9b1c21edb0ba7405f489b927842967eda685d577
This Metasploit module exploits multiple vulnerabilities in Visual Mining NetCharts. First, a lack of input validation in the administration console permits arbitrary jsp code upload to locations accessible later through the web service. Authentication is typically required, however a 'hidden' user is available by default (and non editable). This user, named 'Scheduler', can only login to the console after any modification in the user database (a user is added, admin password is changed etc). If the 'Scheduler' user isn't available valid credentials must be supplied. The default Admin password is Admin.
8a3b765845b48b56bd638e90b38b71b9b937f492e8f972a8b7552ad9f1f4c4ec
This Metasploit module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance. The vulnerability exists in the SOAP handler, accessible through the web interface. A malicious SOAP requests can force the handler to connect to a malicious NetScaler config server. This malicious config server can send a specially crafted response in order to trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary code with the privileges of the web server running the SOAP handler. This Metasploit module has been tested successfully on the NetScaler Virtual Appliance 450010.
bbd94c2938c7acadc669fd040b87af734ca8b8359c12bfca9b43d24c4a997c1d
This Metasploit module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This Metasploit module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.
41b7d988b197d4b07886ef236a76dda4482ef1d09d5d87eb2dbc440af8850897
This Metasploit module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command injection in the displayServiceStatus.php component, it is possible to execute arbitrary commands as long as there is a valid session registered in the centreon.session table. In order to have a valid session, all it takes is a successful login from anybody. The exploit itself does not require any authentication. This Metasploit module has been tested successfully on Centreon Enterprise Server 2.2.
8809b442b4ed7e090f87d00c54c5b7bdd1ab5b1b01a8996dfc1c2404ff0bb501
This exploit abuses a vulnerability in the HP Data Protector. The vulnerability exists in the Backup client service, which listens by default on TCP/5555. The EXEC_INTEGUTIL request allows to execute arbitrary commands from a restricted directory. Since it includes a perl executable, it's possible to use an EXEC_INTEGUTIL packet to execute arbitrary code. On linux targets, the perl binary isn't on the restricted directory, but an EXEC_BAR packet can be used to access the perl binary, even in the last version of HP Data Protector for linux. This Metasploit module has been tested successfully on HP Data Protector 9 over Windows 2008 R2 64 bits and CentOS 6 64 bits.
532410fb174f7f3d0672bb77c79174e37f6739ffde13774940b5b666f7c88240
This Metasploit module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.
204194de715b57d2c50a8f59365b64bfc7f2ab16e20add9ad3d4be4efaca222f
This Metasploit module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The vulnerability exists in the pmd service, due to the insecure usage of functions like strcpy and strcat while handling stack_option packets with user controlled data. In order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from the stack and finally build the rop chain to avoid NX.
ed8dcf6077fc962dee63928b9374f08f765d9613b6097985fa09b44f33f8d338
This Metasploit module exploits a code injection in specially crafted environment variables in Bash, specifically targeting Apache mod_cgi scripts through the HTTP_USER_AGENT variable.
bddccc35d3cda611c86307a7ce0074fc7d74f100f9a6dea0b6e39a478138e054
This Metasploit module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75 command, the process does not properly filter user supplied input allowing for arbitrary command injection. This Metasploit module has been tested successfully on EMC AlphaStor 4.0 build 116 with Windows 2003 SP2 and Windows 2008 R2.
3e993a7e854efa86fb910cf5ae6005aed96bf8fef7a6b5ff28fe00ff12003031
This Metasploit module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This Metasploit module has been tested successfully on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8 and IE 9.
2c87a396ae651d2548218234d6c075460d07bc9f8c985df84efe8276828e073e
This Metasploit module exploits an authentication bypass vulnerability in Solarwinds Storage Manager. The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication with specially crafted URLs. After bypassing authentication, is possible to use a file upload function to achieve remote code execution. This Metasploit module has been tested successfully in Solarwinds Store Manager Server 5.1.0 and 5.7.1 on Windows 32 bits, Windows 64 bits and Linux 64 bits operating systems.
8e0158bd6ed6894515f4b2ee12c6dea89374d232c9a98949f115bcf2c61c7927
This Metasploit module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a sequence of specially crafted of rendering messages, a virtual machine can exploit an out of bounds array access to corrupt memory and escape to the host. This Metasploit module has been tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6.
86c260fb68e437881ab16b483c4e49b6bc21fe1b4a46b94f446e6d346cda9dda
This Metasploit module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create logs using functions like vsprintf and memcpy in a insecure way. This Metasploit module has been tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.
db93fbf33e9788d81fe33dcce19468109935bbe2f51ee46720d0e3980569bb49
This Metasploit module exploits an Arbitrary File Upload vulnerability in Oracle Event Processing 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be abused to upload a malicious file onto an arbitrary location due to a directory traversal flaw, and compromise the server. By default Oracle Event Processing uses a Jetty Application Server without JSP support, which limits the attack to WbemExec. The current WbemExec technique only requires arbitrary write to the file system, but at the moment the module only supports Windows 2003 SP2 or older.
354b179956fa5730561cdacb3cb83ea87cbbaf8af2b2d69f7b545cc36d2d4223
This Metasploit module exploits a code execution flaw in HP AutoPass License Server. It abuses two weaknesses in order to get its objective. First, the AutoPass application doesn't enforce authentication in the CommunicationServlet component. On the other hand, it's possible to abuse a directory traversal when uploading files thorough the same component, allowing to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.
dd2fd87c80023443848e47bf145fc594ce2617436c0759a85eb64c8248dbcdb7
This Metasploit module abuses a process creation policy in the Internet Explorer Sandbox which allows to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity Level. Further interaction with the component allows to escape the Enhanced Protected Mode and execute arbitrary code with Medium Integrity.
566f2c34ce894a344de48e60acdf38825db4478f6732a3bdd3039b0e32d1cda3
This Metasploit module exploits a vulnerability in Internet Explorer Sandbox which allows to escape the Enhanced Protected Mode and execute code with Medium Integrity. The vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll component, which can be abused to force medium integrity IE to user influenced keys. By using registry symlinks it's possible force IE to add a policy entry in the registry and finally bypass Enhanced Protected Mode.
c9f9dc448204fe8efbcb3d05352d9e8dff208d0ff120536098d4e6f8b8305895
This Metasploit module exploits an injection vulnerability in Cogent DataHub prior to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which makes insecure use of the datahub_command function with user controlled data, allowing execution of arbitrary datahub commands and scripts. This Metasploit module has been tested successfully with Cogent DataHub 7.3.4 on Windows 7 SP1.
ea90ec1ce02362764c088f9a23d4e3e49eb058ef8047c0f1c9b916a1d71d04e3
This Metasploit module exploits a code execution flaw in AlienVault 4.6.1 and prior. The vulnerability exists in the av-centerd SOAP web service, where the update_system_info_debian_package method uses perl backticks in an insecure way, allowing command injection. This Metasploit module has been tested successfully on AlienVault 4.6.0.
f41d6bd5cd5cf9bdeabe5b3bc68136db162011629dbe4d4e9286da318c9234c8
This Metasploit module exploits a stack based buffer overflow in Ericom AccessNow Server. The vulnerability is due to an insecure usage of vsprintf with user controlled data, which can be triggered with a malformed HTTP request. This Metasploit module has been tested successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003 Server SP2.
ebcadf3ecbef96b23f35bdc1801d697a19ccfe4ec12a013d2b6a82b0e6e572b2
This Metasploit module abuses several directory traversal flaws in Rocket Servergraph Admin Center for Tivoli Storage Manager. The issues exist in the fileRequestor servlet, allowing a remote attacker to write arbitrary files and execute commands with administrative privileges. This Metasploit module has been tested successfully on Rocket ServerGraph 1.2 over Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu 12.04 64 bits.
6e5d60b2a820df1fa23141aca83b453d17a395a8fac173dda8ddc42205721c6f
This Metasploit module exploits a remote command execution vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the REST API, which requires no authentication or authorization, where the search function allows dynamic scripts execution, and can be used for remote attackers to execute arbitrary Java code. This Metasploit module has been tested successfully on ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.
c25b90194192ece4e2507d09180295dea5fba7ac37136f5c31b76e2291ebeeb2