This Metasploit module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.
2612430b8b89a0e631ac0fc7cddbfe75efb7eff156c315c62b9215b7b3af9cda
This Metasploit module abuses the zsudo binary, installed with zpanel, to escalate privileges. In order to work, a session with access to zsudo on the sudoers configuration is needed. This Metasploit module is useful for post exploitation of ZPanel vulnerabilities, where typically web server privileges are acquired, and this user is allowed to execute zsudo on the sudoers file.
52e9e7c654a610547771110083d88813bc9a4795b691c2e9a5c3e03710e35924
This Metasploit module exploits a flaw in the nicm.sys driver to execute arbitrary code in kernel space. The vulnerability occurs while handling ioctl requests with code 0x143B6B, where a user provided pointer is used as function pointer. The module has been tested successfully on Windows 7 SP1 with Novell Client 2 SP3.
29e2599fa19955b4e378cc384fac89d22004319b161281a41dcdcb36beb3e0b5
This Metasploit module exploits a flaw in the nwfs.sys driver to overwrite data in kernel space. The corruption occurs while handling ioctl requests with code 0x1438BB, where a 0x00000009 dword is written to an arbitrary address. An entry within the HalDispatchTable is overwritten in order to execute arbitrary code when NtQueryIntervalProfile is called. The module has been tested successfully on Windows XP SP3 with Novell Client 4.91 SP4.
02221705500fa599274361e29583fc85f5bc7d9c953dfd6c235f742e5c0948a8
This Metasploit module exploits a vulnerability in MoinMoin 1.9.5. The vulnerability exists on the manage of the twikidraw actions, where a traversal path can be used in order to upload arbitrary files. Exploitation is achieved on Apached/mod_wsgi configurations by overwriting moin.wsgi, which allows to execute arbitrary python code, as exploited in the wild on July, 2012.
357506b05f75972b93ef4f53d7935e38c58ae9d6c3dc89990bc79b7b56e9d911
This Metasploit module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. This Metasploit module has been tested successfully on Windows 7 SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target to use an info leak to disclose the ntdll.dll base address is provided. This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).
f2191edac3137a6b3823d086c1f17193130422c73f5e897f52c93a6ab9e66486
This Metasploit module exploits a command injection vulnerability against Dovecot with Exim using the "use_shell" option. It uses the sender's address to inject arbitrary commands since this is one of the user-controlled variables, which has been successfully tested on Debian Squeeze using the default Exim4 with dovecot-common packages.
d72b6de0ba7eaf73295bab2780dde4862dd95a6711d35c8ea50c93c6aad58c90
This Metasploit module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes, from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on IE throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.
1b4db1b27c17aab0b21ca54b384927fd35c2a31fb00fd5b3dfb2d240422f385f
This Metasploit modules exploits a vulnerability found in the Oracle WebCenter Content CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where user controlled input is used to call ShellExecuteExW(). This Metasploit module abuses the control to execute an arbitrary HTA from a remote location. This Metasploit module has been tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle WebCenter Content 11.1.1.6.0.
b0e1c2b4d5000f5d54ab03faad81b1e6f76cdaf93878521b78deb176531d5582
This Metasploit module exploits a heap based buffer overflow in the C1Tab ActiveX control, while handling the TabCaption property. The affected control can be found in the c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This Metasploit module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1.
99fdd7d6b7ffc3bcb3ad029cfcdb362a9cb2e0bb387ffdddfabe715b79e167a0
This Metasploit module exploits a vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing to achieve Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process. This Metasploit module has been tested successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.
362b070d8c1cff7e3047e6ccc9833c6d39410fbd8d44ca7e08e17d15068ff919
Some Linksys Routers are vulnerable to an authenticated OS command injection on their web interface where default credentials are admin/admin or admin/password. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This Metasploit module has been tested on a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a controlled system could be used for testing purposes. The exploit uses the tftp client from the device to stage to native payloads from the command injection.
f9f09e58e33c3c7939cc2ed16b2c26b3cc52e2b7e29498141ef9d035fec7d9f7
Some D-Link Routers are vulnerable to an authenticated OS command injection on their web interface, where default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This Metasploit module was tested against a DIR-615 hardware revision H1 - firmware version 8.04. A ping command against a controlled system could be used for testing purposes. The exploit uses the wget client from the device to convert the command injection into an arbitrary payload execution.
aad8c5ca69c9c88e6afefcbe2b486142c3227a0b49c91b9a4e140ec39830afb7
This Metasploit module exploits a code execution flaw in the Mutiny 5 appliance. The EditDocument servlet provides a file upload function to authenticated users. A directory traversal vulnerability in the same functionality allows for arbitrary file upload, which results in arbitrary code execution with root privileges. In order to exploit the vulnerability a valid user (any role) in the web frontend is required. The module has been tested successfully on the Mutiny 5.0-1.07 appliance.
01d6456aa6f66c843f950a3e95e6b90c8d0c5ec0cde800f6939a9ede83195de8
Kloxo versions 6.1.12 and below contain two setuid root binaries. lxsuexec and lxrestart allow local privilege escalation to root from uid 48, Apache by default on CentOS 5.8, the operating system supported by Kloxo. This Metasploit module has been tested successfully with Kloxo 6.1.12 and 6.1.6.
a70607f00778f48b03ab7e80bcb005fc5ae1a0f4e784ea6219b2ca83f16982c7
This Metasploit module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the function ERM_convert_to_correct_webpath handles user provided data in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This Metasploit module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
f08aa677e4bbe773f77b4590e3bc7bcc07a3ecbc53b0cb2b1479169e8de33890
This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.
723999396b06b95680fb759bf7a793de8245f41f4c76b136b6109a09e4954141
This Metasploit module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution with the privileges of the user running AudioCoder. This Metasploit module has been tested successfully on AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.
11e93e7aa31d0230bae1786bd7beb805bafd2f8f17ea750760363ad97854f84a
This Metasploit module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on Wordpress must be unchecked for successful exploitation. This Metasploit module has been tested against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
e5ac9a6fad8c4d6319f7a5b50dd28589a34b1e7d2753c81dd9c0c17b9fb0bb79
This Metasploit module exploits a vulnerability found in GroundWork 6.7.0. This software is used for network, application and cloud monitoring. The vulnerability exists in the monarch_scan.cgi, where user controlled input is used in the perl qx function, which allows any remote authenticated attacker, whatever his privileges are, to inject system commands and gain arbitrary code execution. The module has been tested successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04 based VM appliance.
4f033af844cdd623331a0bd422e02eb8ac32fdbef2908dd0e003506fe068e0b1
This Metasploit module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.
bb2929226a8a08e2945d6536acc0a7c67d0777ced5120b0ffa098ac076125760
Some Netgear Routers are vulnerable to an authenticated OS command injection on their web interface. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. This Metasploit module overwrites parts of the PPOE configuration, while the module tries to restore it after exploitation configuration backup is recommended.
91dc01de9600bf71b1bfb0fa39d3c499055961c38a5e9d02115d91d6d11e4a4d
Some DLink Routers are vulnerable to OS Command injection in the web interface. On DIR-645 versions prior 1.03 authentication isn't needed to exploit it. On version 1.03 authentication is needed in order to trigger the vulnerability, which has been fixed definitely on version 1.04. Other DLink products, like DIR-300 rev B and DIR-600, are also affected by this vulnerability. Not every device includes wget which we need for deploying our payload. On such devices you could use the cmd generic payload and try to start telnetd or execute other commands. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. This Metasploit module has been tested successfully on DIR-645 prior to 1.03, where authentication isn't needed in order to exploit the vulnerability.
f2ceeefd8dbcad542f7e425fc2a4629e678ed768c94c49906f4e9341a1042096
Some Linksys Routers are vulnerable to an authenticated OS command injection in the Web Interface. Default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. The user must be prudent when using this module since it modifies the router configuration while exploitation, even when it tries to restore previous values.
842e633a501f723e29c147350b0f672da78b474050f74be28f55d1501d673b3c
Some Netgear Routers are vulnerable to authenticated OS Command injection. The vulnerability exists in the web interface, specifically in the setup.cgi component, when handling the TimeToLive parameter. Default credentials are always a good starting point, admin/admin or admin/password could be a first try. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes.
623ce5343f36444ea84dd10286be202aa0da4fc1e9e606d5ba8d7544d69fb889