all things security
Showing 101 - 125 of 293 RSS Feed

Files from juan vazquez

First Active2011-06-27
Last Active2015-12-14
HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload
Posted Sep 17, 2013
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This Metasploit module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0.

tags | exploit, arbitrary
advisories | CVE-2013-4812, OSVDB-97155
MD5 | 655ea7e5a3301cf06fe81698db51eafa
HP SiteScope Remote Code Execution
Posted Sep 9, 2013
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a code execution flaw in HP SiteScope. The vulnerability exists on the opcactivate.vbs script, which is reachable from the APIBSMIntegrationImpl AXIS service, and uses WScript.Shell.run() to execute cmd.exe with user provided data. Note which the opcactivate.vbs component is installed with the (optional) HP Operations Agent component. The module has been tested successfully on HP SiteScope 11.20 (with HP Operations Agent) over Windows 2003 SP2.

tags | exploit, shell, code execution
systems | windows
advisories | CVE-2013-2367, OSVDB-95824
MD5 | 54e615e8ccdc8c83cefabd5dc954b93a
HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Execution
Posted Sep 4, 2013
Authored by juan vazquez, Brian Gorenc | Site metasploit.com

This Metasploit module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileString method, which allow the user to write arbitrary files. It's abused to drop a payload embedded in a dll, which is later loaded through the Init() method from the lrMdrvService control, by abusing an insecure LoadLibrary call. This Metasploit module has been tested successfully on IE8 on Windows XP. Virtualization based on the Low Integrity Process, on Windows Vista and 7, will stop this module because the DLL will be dropped to a virtualized folder, which isn't used by LoadLibrary.

tags | exploit, arbitrary, activex
systems | windows, xp, vista
advisories | CVE-2013-4798, OSVDB-95642
MD5 | 5f7630ca27a1c56598761f3e375ec40d
HP LoadRunner lrFileIOService ActiveX Remote Code Execution
Posted Aug 29, 2013
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method where user provided data is used as a memory pointer. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with HP LoadRunner.

tags | exploit, activex
systems | windows, xp
advisories | CVE-2013-2370, OSVDB-95640
MD5 | 8abb525c779efa76355554b3961f0bbc
Firefox XMLSerializer Use After Free
Posted Aug 29, 2013
Authored by regenrecht, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically an use after free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This Metasploit module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3.

tags | exploit
systems | windows, xp
advisories | CVE-2013-0753, OSVDB-89021
MD5 | 6d919208c10f274c997a34ba8bbff8d7
Mac OS X Sudo Password Bypass
Posted Aug 26, 2013
Authored by Todd C. Miller, juan vazquez, joev | Site metasploit.com

This Metasploit module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the "admin group"), and the user has ever run the "sudo" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This Metasploit module will fail silently if the user is not an admin or if the user has never run the sudo command.

tags | exploit, root
systems | apple, osx
advisories | CVE-2013-1775, OSVDB-90677
MD5 | c576a86d9ee4a93abc0dde1445edcab8
Oracle Endeca Server Remote Command Execution
Posted Aug 24, 2013
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on the Oracle Endeca Server 7.4.0. The vulnerability exists on the createDataStore method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This Metasploit module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).

tags | exploit, web
systems | windows
advisories | CVE-2013-3763, OSVDB-95269
MD5 | a65491552879676cea937b2b2daf6d8d
Cogent DataHub HTTP Server Buffer Overflow
Posted Aug 18, 2013
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack based buffer overflow on Cogent DataHub 7.3.0. The vulnerability exists in the HTTP server - while handling HTTP headers, a strncpy() function is used in a dangerous way. This Metasploit module has been tested successfully on Cogent DataHub 7.3.0 (Demo) on Windows XP SP3.

tags | exploit, web, overflow
systems | windows, xp
advisories | OSVDB-95819
MD5 | 838db63900ee8ca2390b847a477f765e
Java storeImageArray() Invalid Array Indexing
Posted Aug 16, 2013
Authored by sinn3r, juan vazquez, temp66 | Site metasploit.com

This Metasploit module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to produce a memory corruption and finally escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn't bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems. This was created based upon the Packet Storm Bug Bounty release for this issue.

tags | exploit, java, bug bounty, packet storm
systems | linux, windows
advisories | CVE-2013-2465, OSVDB-96269
MD5 | 6cc19300816758352ece7407798da7e1
Chasys Draw IES Buffer Overflow
Posted Aug 14, 2013
Authored by juan vazquez, Javier \soez\, Longinos Recuero Bustos, Christopher Gabriel | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability found in Chasys Draw IES (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while parsing BMP files, where the ReadFile function is used to store user provided data on the stack in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted BMP file. This Metasploit module has been tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7 SP1.

tags | exploit, overflow, arbitrary, code execution
systems | windows, xp, 7
advisories | CVE-2013-3928
MD5 | ff8438fa506ca940bd0b7688c3585603
Joomla Media Manager File Upload Vulnerability
Posted Aug 14, 2013
Authored by juan vazquez, Jens Hinrichsen | Site metasploit.com

This Metasploit module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module has been tested successfully on Joomla 2.5.13 and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media Manager, you will need to supply a valid username and password (Editor role or higher) in order to work properly.

tags | exploit, arbitrary, code execution, file upload
systems | linux, ubuntu
advisories | OSVDB-95933
MD5 | cf5b61f56c69e484e93a550bb8d8378c
HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow
Posted Aug 12, 2013
Authored by juan vazquez, e6af8de8b1d4b2b6d5ba2610cbf9cd38 | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage of the sscanf() function when parsing login requests. This Metasploit module has been tested successfully on the HP VSA 9 Virtual Appliance.

tags | exploit, overflow
advisories | CVE-2013-2343, OSVDB-94701
MD5 | e971e65723c7b85a5799b20b79ea1f2c
D-Link Devices Unauthenticated Remote Command Execution
Posted Aug 9, 2013
Authored by Michael Messner, juan vazquez | Site metasploit.com

Different D-Link Routers are vulnerable to OS command injection via the web interface. The vulnerability exists in command.php, which is accessible without authentication. This Metasploit module has been tested with the versions DIR-600 2.14b01, DIR-300 rev B 2.13. Two target are included, the first one starts a telnetd service and establish a session over it, the second one runs commands via the CMD target. There is no wget or tftp client to upload an elf backdoor easily. According to the vulnerability discoverer, more D-Link devices may affected.

tags | exploit, web, php
advisories | OSVDB-89861
MD5 | e2926242e296222d9f55b90114f6a9e5
D-Link Devices Unauthenticated Remote Command Execution
Posted Aug 8, 2013
Authored by Michael Messner, juan vazquez | Site metasploit.com

Different D-Link Routers are vulnerable to OS command injection via the web interface. The vulnerability exists in tools_vct.xgi, which is accessible with credentials. This Metasploit module has been tested with the versions DIR-300 rev A v1.05 and DIR-615 rev D v4.13. Two target are included, the first one starts a telnetd service and establish a session over it, the second one runs commands via the CMD target. There is no wget or tftp client to upload an elf backdoor easily. According to the vulnerability discoverer, more D-Link devices may affected.

tags | exploit, web
advisories | OSVDB-92698
MD5 | 019ba3629ae022f232177179a22798ab
Firefox onreadystatechange Event DocumentViewerImpl Use After Free
Posted Aug 8, 2013
Authored by webDEViL, sinn3r, juan vazquez, temp66, Nils | Site metasploit.com

This Metasploit module exploits a vulnerability found on Firefox 17.0.6, specifically an use after free of a DocumentViewerImpl object, triggered via an specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users.

tags | exploit, web
advisories | CVE-2013-1690, OSVDB-94584
MD5 | 3ec0e73cc8dcae69c0a08d398a348359
PineApp Mail-SeCure test_li_connection.php Arbitrary Command Execution
Posted Jul 29, 2013
Authored by juan vazquez, Dave Weinstein | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the test_li_connection.php component, due to the insecure usage of the system() php function. This Metasploit module has been tested successfully on PineApp Mail-SeCure 3.70.

tags | exploit, php
MD5 | 370df352e83a2de9ec2c063ee1b2c4c5
PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution
Posted Jul 29, 2013
Authored by juan vazquez, Dave Weinstein | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the ldapsyncnow.php component, due to the insecure usage of the shell_exec() php function. This Metasploit module has been tested successfully on PineApp Mail-SeCure 3.70.

tags | exploit, php
MD5 | 9f5105de172f003eebfb122d6b1f563c
PineApp Mail-SeCure livelog.html Arbitrary Command Execution
Posted Jul 29, 2013
Authored by juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the livelog.html component, due to the insecure usage of the shell_exec() php function. This Metasploit module has been tested successfully on PineApp Mail-SeCure 3.70.

tags | exploit, php
MD5 | d17400c28ae6dc6e4e23eb68f2fcd0d1
Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Posted Jul 25, 2013
Authored by sinn3r, juan vazquez, Takeshi Terada | Site metasploit.com

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. This Metasploit module has been tested successfully on Struts 2.3.15 over Tomcat 7, with Windows 2003 SP2 and Ubuntu 10.04 operating systems.

tags | exploit
systems | linux, windows, ubuntu
advisories | CVE-2013-2251, OSVDB-95405
MD5 | f4dcb90843377c8138d0fd07f5f040c5
D-Link Devices UPnP SOAP Command Execution
Posted Jul 23, 2013
Authored by Michael Messner, juan vazquez | Site metasploit.com

Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the CMD target. Additionally, two targets are included, to start a telnetd service and establish a session over it, or deploy a native mipsel payload. This Metasploit module has been tested successfully on DIR-300, DIR-600, DIR-645, DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices may affected.

tags | exploit
advisories | OSVDB-94924
MD5 | a98bc1b6f66d9cd1eca1c4774e6ad522
VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload
Posted Jul 23, 2013
Authored by Andrea Micalizzi, juan vazquez | Site metasploit.com

This Metasploit module exploits a code execution flaw in VMware vCenter Chargeback Manager, where the ImageUploadServlet servlet allows unauthenticated file upload. The files are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed. The module has been tested successfully on VMware vCenter Chargeback Manager 2.0.1 on Windows 2003 SP2.

tags | exploit, web, code execution, file upload
systems | windows
advisories | CVE-2013-3520, OSVDB-94188
MD5 | 7bb909108ececb286f0a184f3191aa87
HP Managed Printing Administration jobAcct Remote Command Execution
Posted Jul 18, 2013
Authored by Andrea Micalizzi, juan vazquez | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability on HP Managed Printing Administration 2.6.3 (and before). The vulnerability exists in the UploadFiles() function from the MPAUploader.Uploader.1 control, loaded and used by the server. The function can be abused via directory traversal and null byte injection in order to achieve arbitrary file upload.

tags | exploit, arbitrary, file upload
advisories | CVE-2011-4166, OSVDB-78015
MD5 | 971b98d962ddabcf86fc3c2bfb350b90
Corel PDF Fusion Stack Buffer Overflow
Posted Jul 12, 2013
Authored by juan vazquez, Kaveh Ghaemmaghami | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow vulnerability in version 1.11 of Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry names. In order for the payload to be executed, an attacker must convince the target user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the attacker can execute arbitrary code as the target user.

tags | exploit, overflow, arbitrary
advisories | CVE-2013-3248, OSVDB-94933
MD5 | 9f5794e3ddb35facb27513ada0aad7ed
ERS Viewer 2013 ERS File Handling Buffer Overflow
Posted Jul 9, 2013
Authored by James Fitts, juan vazquez | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability found in ERS Viewer 2013. The vulnerability exists in the module ermapper_u.dll, where the function rf_report_error handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This Metasploit module has been tested successfully with ERS Viewer 2013 (versions 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.

tags | exploit, overflow, arbitrary, code execution
systems | windows, xp, 7
advisories | CVE-2013-3482, OSVDB-93650
MD5 | 353adb4184511741811b4ec14f78a159
Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation
Posted Jul 1, 2013
Authored by Tavis Ormandy, egypt, sinn3r, juan vazquez, progmboy, Meatballs, Keebie4e | Site metasploit.com

This Metasploit module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.

tags | exploit
systems | windows, xp, 7
advisories | CVE-2013-3660, OSVDB-93539
MD5 | 4c66155f0bae4b1bbeab91b35499cc0d
Page 5 of 12
Back34567Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close