exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 51 - 75 of 100 RSS Feed

Files

AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution
Posted Jul 9, 2012
Authored by rgod, juan | Site metasploit.com

This Metasploit module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run arbitrary commands on the victim machine. This Metasploit module has been successfully tested with the ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.

tags | exploit, remote, arbitrary, activex
systems | windows
advisories | CVE-2011-2657, OSVDB-76700
SHA-256 | 56cf9879c132897ee3261274e09284b0d6081bb9dd195db9cee39698cd90dbba

Related Files

PHP apache_request_headers Function Buffer Overflow
Posted Jun 17, 2012
Authored by juan vazquez, Vincent Danen | Site metasploit.com

This Metasploit module exploits a stack based buffer overflow in the CGI version of PHP 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the HTTP headers. This Metasploit module has been tested against the thread safe version of PHP 5.4.2, from "windows.php.net", running with Apache 2.2.22 from "apachelounge.com".

tags | exploit, web, overflow, cgi, php
systems | windows
advisories | CVE-2012-2329, OSVDB-82215
SHA-256 | 9911ce27bffaa90bdbd0d7a764559440c9b73d2a107c14d2ddcf46c3708a6749
Microsoft XML Core Services MSXML Uninitialized Memory Corruption
Posted Jun 16, 2012
Authored by sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the getDefinition API, which may corrupt memory allowing remote code execution. At the moment, this module only targets Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3.

tags | exploit, remote, code execution
systems | windows
advisories | CVE-2012-1889, OSVDB-82873
SHA-256 | b42f6ac491db2e23d28b44a0a21b16d7602d98dada63659c4d62505cfc674e08
TFM MMPlayer (m3u/ppl File) Buffer Overflow
Posted Jun 16, 2012
Authored by RjRjh Hack3r | Site metasploit.com

This Metasploit module exploits a buffer overflow in MMPlayer 2.2 The vulnerability is triggered when opening a malformed M3U/PPL file that contains an overly long string, which results in overwriting a SEH record, thus allowing arbitrary code execution under the context of the user.

tags | exploit, overflow, arbitrary, code execution
advisories | OSVDB-80532
SHA-256 | 94a5538fac833ce0d40cb77f27f7d48f3d8f56c693a6be7f095f4777f86bcb80
Wyse Machine Remote Power Off Denial Of Service
Posted Jun 14, 2012
Authored by it.solunium | Site metasploit.com

This Metasploit module exploits the Wyse Rapport Hagent service and causes a remote power cycle.

tags | exploit, remote, denial of service
advisories | CVE-2009-0695, OSVDB-55839
SHA-256 | 22351b9d23464102ba3b26074487f1ff569c07be9c592ad7cff3d5dd6f17f981
ComSndFTP 1.3.7 Beta USER Format String (Write4)
Posted Jun 14, 2012
Authored by Rick, corelanc0d3r, mr_me, ChaoYi Huang | Site metasploit.com

This Metasploit module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially crafted format string specifier as a username. The crafted username is sent to to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled exception message. When using the meterpreter payload, the process will never die, allowing for continuous exploitation.

tags | exploit, arbitrary
SHA-256 | 8ca8af4598071a83d2552f14b027f3fdb8f361c95b01bacf03d39857c306caea
MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
Posted Jun 14, 2012
Authored by juan vazquez, Qihoo 360 Security Center, Dark Son, Google Inc, Yichong Lin | Site metasploit.com

This Metasploit module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited in the wild.

tags | exploit
systems | windows
advisories | CVE-2012-1875, OSVDB-82865
SHA-256 | 20f72fec96a5590b5bee38dc7ead6c6f34987bffcedca8f42c8054df4bedc309
Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow
Posted Jun 14, 2012
Authored by unknown, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in Lattice Semiconductor PAC-Designer 6.21. As a .pac file, when supplying a long string of data to the 'value' field under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption on the stack, which results in arbitrary code execution under the context of the user.

tags | exploit, arbitrary, code execution
advisories | CVE-2012-2915, OSVDB-82001
SHA-256 | 4f39a6ba7a1c027c53d6c89df81d4f572dc43a0a4728c3bef5f6473a11849cc1
WordPress plugin Foxypress uploadify.php Arbitrary Code Execution
Posted Jun 12, 2012
Authored by patrick, Sammy FORGIT | Site metasploit.com

This Metasploit module exploits an arbitrary PHP code execution flaw in the WordPress blogging software plugin known as Foxypress. The vulnerability allows for arbitrary file upload and remote code execution via the uploadify.php script. The Foxypress plug-in versions 0.4.2.1 and below are vulnerable.

tags | exploit, remote, arbitrary, php, code execution, file upload
advisories | OSVDB-82652
SHA-256 | da0008da963d30190b80ec624d76b37a43a7996230c2eda836dbddf9adef1f96
Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability
Posted Jun 11, 2012
Authored by Tenable Network Security, juan vazquez | Site metasploit.com

This Metasploit module exploits a file upload vulnerability found in Symantec Web Gateway's HTTP service. Due to the incorrect use of file extensions in the upload_file() function, this allows us to abuse the spywall/blocked_file.php file in order to upload a malicious PHP file without any authentication, which results in arbitrary code execution.

tags | exploit, web, arbitrary, php, code execution, file upload
advisories | CVE-2012-0299, OSVDB-82025
SHA-256 | cf93b4b95c23f5407ba012edff8b93021d9cf2a529de505d5f968bbc6cf64f26
Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
Posted Jun 11, 2012
Authored by Tenable Network Security, juan vazquez | Site metasploit.com

This Metasploit module exploits a command injection vulnerability found in Symantec Web Gateway's HTTP service due to the insecure usage of the exec() function. This Metasploit module abuses the spywall/ipchange.php file to execute arbitrary OS commands without authentication.

tags | exploit, web, arbitrary, php
advisories | CVE-2012-0297
SHA-256 | b0b67649c40ca029b22826b4a8885851ba50ca7ed212e036f2e5e4e0db93816f
Tom Sawyer Software GET Extension Factory Remote Code Execution
Posted Jun 11, 2012
Authored by rgod, Elazar Broad, juan vazquez | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. This Metasploit module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The dll is installed by default with the Embarcadero software, and loaded by the targeted ActiveX.

tags | exploit, remote, code execution, activex
advisories | CVE-2011-2217, OSVDB-73211
SHA-256 | 9ea26d2b6cb47fda41b9580e28eab68d2c736833da3e4ee9317fb28219b79c3f
MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
Posted Jun 11, 2012
Authored by Yorick Koster, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in Microsoft Office's ClickOnce feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This allows you to trick your victim into opening the malicious document, which will load up either a python or ruby payload based on your choosing, and then finally download and execute our executable.

tags | exploit, python, ruby
advisories | CVE-2012-0013, OSVDB-78207
SHA-256 | 0a79ccc75253fc54a4cbf99a7599c06f3f75c9e59c1385bd9c4f718868f83665
Sielco Sistemi Winlog Buffer Overflow 2.07.14
Posted Jun 8, 2012
Authored by m1k3 | Site metasploit.com

This Metasploit module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.14. When sending a specially formatted packet to the Runtime.exe service on port 46824, an attacker may be able to execute arbitrary code.

tags | exploit, overflow, arbitrary
SHA-256 | 1a8bb46f85df789796e7923d8179c18365a8ea6bf644f0480c03f28ecc53fa3c
Microsoft Windows OLE Object File Handling Remote Code Execution
Posted Jun 7, 2012
Authored by Luigi Auriemma, juan vazquez | Site metasploit.com

This Metasploit module exploits a type confusion vulnerability in the OLE32 component of Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple function. A Visio document with a specially crafted Summary Information Stream embedded allows to get remote code execution through Internet Explorer, on systems with Visio Viewer installed.

tags | exploit, remote, code execution
systems | windows
advisories | CVE-2011-3400, OSVDB-77663
SHA-256 | 38a04eb9235c0ff6ef85f3b9bba40470be0f95a7efe95b58a475e3f84a0afc55
Samsung NET-i viewer Multiple ActiveX BackupToAvi() Remote Overflow
Posted Jun 7, 2012
Authored by Luigi Auriemma, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability in the CNC_Ctrl.dll ActiveX installed with the Samsung NET-i viewer 1.37. Specifically, when supplying a long string for the fname parameter to the BackupToAvi method, an integer overflow occurs, which leads to a posterior buffer overflow due to the use of memcpy with an incorrect size, resulting in remote code execution under the context of the user.

tags | exploit, remote, overflow, code execution, activex
advisories | OSVDB-81453
SHA-256 | 03a28d9b585a04552b2af08e30b7a0771b1cda34693418914dcb8507b373570a
Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow
Posted Jun 7, 2012
Authored by patrick | Site metasploit.com

This Metasploit module can be used to execute arbitrary code on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components (MDAC) Remote Data Service (RDS) DataFactory service. The service is exploitable even when RDS is configured to deny remote connections (handsafe.reg). The service is vulnerable to a heap overflow where the RDS DataStub 'Content-Type' string is overly long. Microsoft Data Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.

tags | exploit, remote, overflow, arbitrary
advisories | CVE-2002-1142, OSVDB-14502
SHA-256 | 5b8f51f6304db9028ffb31a8630bc9126a8b59e8dff7370fae1e12b8fd591199
Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution
Posted Jun 7, 2012
Authored by patrick | Site metasploit.com

This Metasploit module can be used to execute arbitrary commands on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components (MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj or AdvancedDataFactory to inject shell commands into Microsoft Access databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN). Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively used in the wild in the late Ninties. MDAC versions affected include MDAC 1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS installed, and NT4 Servers with the NT Option Pack installed or upgraded 2000 systems often running IIS3/4/5 however some vulnerable installations can still be found on newer Windows operating systems. Note that newer releases of msadcs.dll can still be abused however by default remote connections to the RDS is denied. Consider using VERBOSE if you're unable to successfully execute a command, as the error messages are detailed and useful for debugging. Also set NAME to obtain the remote hostname, and METHOD to use the alternative VbBusObj technique.

tags | exploit, remote, arbitrary, shell
systems | windows
advisories | CVE-1999-1011
SHA-256 | 382234f494b3e6be1ceaa9dc39e8b06bf8faad703997a8f0eec9259b5d187113
Apache Struts 2.2.1.1 Remote Command Execution
Posted Jun 5, 2012
Authored by sinn3r, juan vazquez, Johannes Dahse, Andreas Nusser | Site metasploit.com

This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions less than or equal to 2.2.1.1. This issue is caused because the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

tags | exploit, java, remote, arbitrary
advisories | CVE-2012-0391, OSVDB-78277
SHA-256 | 0b05a1b978021a7e230996613260f0f4ba94c92ffadf95f1ba1f5be6cacdbf23
Log1 CMS writeInfo() PHP Code Injection
Posted Jun 3, 2012
Authored by EgiX, sinn3r, Adel SBM | Site metasploit.com

This Metasploit module exploits the "Ajax File and Image Manager" component that can be found in log1 CMS. In function.base.php of this component, the 'data' parameter in writeInfo() allows any malicious user to have direct control of writing data to file data.php, which results in arbitrary remote code execution.

tags | exploit, remote, arbitrary, php, code execution
advisories | CVE-2011-4825, OSVDB-76928
SHA-256 | 5f8de96e6ea32234373a0a7a5100ed196a91a7eb2302465bc03aeaa9b7bfff70
GIMP script-fu Server Buffer Overflow
Posted Jun 2, 2012
Authored by juan vazquez, Joseph Sheridan | Site metasploit.com

This Metasploit module exploits a buffer overflow in the script-fu server component on GIMP <= 2.6.12. By sending a specially crafted packet, an attacker may be able to achieve remote code execution under the context of the user. This Metasploit module has been tested on GIMP for Windows from installers provided by Jernej Simoncic.

tags | exploit, remote, overflow, code execution
systems | windows
advisories | CVE-2012-2763, OSVDB-82429
SHA-256 | 639458a065dfbd4eece13f18e4a4a8606ca0ea7c1392c33c55adb20317d1bdad
Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow
Posted Jun 2, 2012
Authored by alino, juan vazquez | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode 0x40020006 (GetObjetsRequest) to the 6905/UDP port. The module, which allows code execution under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2 and Windows XP SP3.

tags | exploit, remote, overflow, udp, code execution
systems | windows
advisories | OSVDB-75780
SHA-256 | e3c0a6f5b3a3f26ed4fb9bebaf9f0c8831cc32e99feb9f9583bae8d17e4829c2
Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow
Posted Jun 2, 2012
Authored by alino, juan vazquez | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode 0x40020002 (GetFooterRequest) to the 6905/UDP port. The module, which allows code execution under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2 and Windows XP SP3.

tags | exploit, remote, overflow, udp, code execution
systems | windows
advisories | OSVDB-75780
SHA-256 | 95742b6130c01a360fcb07725b756b00b4f683ebbfffb07615e116c0dbccde5f
Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020004 Buffer Overflow
Posted Jun 2, 2012
Authored by alino, juan vazquez | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode 0x40020004 (GetBootRecordRequest) to the 6905/UDP port. The module, which allows code execution under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2 and Windows XP SP3.

tags | exploit, remote, overflow, udp, code execution
systems | windows
advisories | OSVDB-75780
SHA-256 | 48a0910b2afcd24f3d4c665d8c997a2e0fe577dffb6bca3c0ecace91c10b120f
PHP Volunteer Management System v1.0.2 Arbitrary File Upload
Posted May 31, 2012
Authored by sinn3r, Ashoo | Site metasploit.com

This Metasploit module exploits a vulnerability found in PHP Volunteer Management System, versions 1.0.2 and prior. This application has an upload feature that allows an authenticated user to upload anything to the 'uploads' directory, which is actually reachable by anyone without a credential. An attacker can easily abuse this upload functionality first by logging in with the default credential (admin:volunteer), upload a malicious payload, and then execute it by sending another GET request.

tags | exploit, php
SHA-256 | a9247fc86c26d352083bf798cdd011abca8e533b47fe3653ae48f91b1a8c9e3b
VAMCart-InternetShop 0.9 File Upload Code Execution
Posted May 29, 2012
Authored by KedAns-Dz | Site metasploit.com

This Metasploit module exploits a vulnerability in the TinyMCE/tinybrowser plugin. This plugin is not secured in version 0.9 of VAMCart and allows the upload of files on the remote server. By renaming the uploaded file this vulnerability can be used to upload/execute code on the affected system.

tags | exploit, remote
SHA-256 | 2f631d7a476c9b413ae2de8686ab1f98d4e0e9c4ff4f224e34949b05e6bbf3c0
Page 3 of 4
Back1234Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    0 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close