exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

KeyHelp ActiveX LaunchTriPane Remote Code Execution
Posted Oct 11, 2012
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42. When the control is installed with these products, the function "LaunchTriPane" will use ShellExecute to launch "hh.exe", with user controlled data as parameters. Because of this, the "-decompile" option can be abused to write arbitrary files on the remote system. Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute it. Please note that this module currently only works for Windows before Vista. On the other hand, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3

tags | exploit, remote, arbitrary, code execution, activex
systems | windows
advisories | CVE-2012-2516, OSVDB-83311
SHA-256 | ddfde3a6cd95fb91cc1c6b3a0ce469bb1d439179f47acc6c7c8348a5fef601f0

Related Files

Adobe Flash Player 11.3 Font Parsing Code Execution
Posted Aug 17, 2012
Authored by sinn3r, Alexander Gavrun, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF, it is possible to gain arbitrary remote code execution under the context of the user, as exploited in the wild.

tags | exploit, remote, arbitrary, code execution, activex
advisories | CVE-2012-1535, OSVDB-84607
SHA-256 | b495613b72210817067894eb7ff5c08f46dcd44c9088ea935d0a7be729049d9a
Windows Service Trusted Path Privilege Escalation
Posted Aug 15, 2012
Authored by sinn3r | Site metasploit.com

This Metasploit module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some softwares such as OpenVPN 2.1.1, or OpenSSH Server 5, etc... all have the same problem.

tags | exploit
systems | windows
SHA-256 | 13ee2928c651d3a5639e180e5f2cafa4d077977aeeeb2da9a34de919ec969a8e
globalSCAPE CuteZIP Stack Buffer Overflow
Posted Aug 15, 2012
Authored by C4SS!0 G0M3S, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow vulnerability in version 2.1 of CuteZIP. In order for the command to be executed, an attacker must convince the target user to open a specially crafted zip file with CuteZIP. By doing so, an attacker can execute arbitrary code as the target user.

tags | exploit, overflow, arbitrary
SHA-256 | 0eb1f8858ec5246ac33385d821777542b928e2d0bb98e4789b086a62b732d909
Novell ZENworks Asset Management Remote Execution
Posted Aug 14, 2012
Authored by juan vazquez | Site metasploit.com

This Metasploit module exploits a path traversal flaw in Novell ZENworks Asset Management 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file outside of the MalibuUploadDirectory and then make a secondary request that allows for arbitrary code execution.

tags | exploit, arbitrary, code execution
advisories | CVE-2011-2653, OSVDB-77583
SHA-256 | 0b8fb5d16df4fc969d43e3061660de06ffdf0cfc0581883a9f80e8a04b40a600
Cyclope Employee Surveillance Solution 6 SQL Injection
Posted Aug 14, 2012
Authored by loneferret, sinn3r | Site metasploit.com

This Metasploit module exploits a SQL injection found in Cyclope Employee Surveillance Solution. Because the login script does not properly handle the user-supplied username parameter, a malicious user can manipulate the SQL query, and allows arbitrary code execution under the context of 'SYSTEM'.

tags | exploit, arbitrary, code execution, sql injection
advisories | OSVDB-84517
SHA-256 | 943d1370d3c4c203bec054c6328adda12b9aa04b01b7010bb71dea9ec2bef8a7
TestLink 1.9.3 Arbitrary File Upload
Posted Aug 14, 2012
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in TestLink versions 1.9.3 and prior. This application has an upload feature that allows any authenticated user to upload arbitrary files to the '/upload_area/nodes_hierarchy/' directory with a randomized file name. The file name can be retrieved from the database using SQL injection.

tags | exploit, arbitrary, sql injection
SHA-256 | d7801d84f2c0b381a4eab2c495d1007bc1e69f64d876b88ff24732a4755a2f71
NetDecision 4.2 TFTP Writable Directory Traversal Execution
Posted Aug 9, 2012
Authored by Rob Kraus, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in NetDecision 4.2 TFTP server. The software contains a directory traversal vulnerability that allows a remote attacker to write arbitrary file to the file system, which results in code execution under the context of user executing the TFTP Server.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2009-1730, OSVDB-54607
SHA-256 | 0d13cee7943b511e1894639ec337c177f0900b866756b484b6bf6fa8eab38bed
PHP IRC Bot pbot eval() Remote Code Execution
Posted Aug 8, 2012
Authored by Evilcry, juan vazquez, bwall, Jay Turla | Site metasploit.com

This Metasploit module allows remote command execution on the PHP IRC bot pbot by abusing the usage of eval() in the implementation of the .php command. In order to work, the data to connect to the IRC server and channel where find pbot must be provided. The module has been successfully tested on the version of pbot analyzed by Jay Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP SP3.

tags | exploit, remote, php
systems | linux, windows, ubuntu
SHA-256 | af5927c4e9d6a607a05e48844259bb81f722ee9404fcdab77834d99f0a04d614
Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow
Posted Aug 7, 2012
Authored by juan vazquez, Brian Gorenc | Site metasploit.com

This Metasploit module exploits a vulnerability found in the AutoVue.ocx ActiveX control. The vulnerability, due to the insecure usage of an strcpy like function in the SetMarkupMode method, when handling a specially crafted sMarkup argument, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page. The module has been successfully tested against Oracle AutoVue Desktop Version 20.0.0 (AutoVue.ocx 20.0.0.7330) on IE 6, 7, 8 and 9 (Java 6 needed to DEP and ASLR bypass).

tags | exploit, java, web, overflow, code execution, activex
advisories | CVE-2012-0549, OSVDB-81439
SHA-256 | d858c8b6d6fe0d0ffc9d06afc12e482599a5ca2b027ef372734fa46886a66c4d
Zenoss 3 showDaemonXMLConfig Command Execution
Posted Aug 3, 2012
Site metasploit.com

This Metasploit module exploits a command execution vulnerability in Zenoss 3.x which could be abused to allow authenticated users to execute arbitrary code under the context of the 'zenoss' user. The show_daemon_xml_configs() function in the 'ZenossInfo.py' script calls Popen() with user controlled data from the 'daemon' parameter.

tags | exploit, arbitrary
SHA-256 | 33a140d75ff71c375fe706c83c3e8477cf89926c68093442613d62be2a4e1ddd
Psexec Via Current User Token
Posted Aug 3, 2012
Authored by Jabra, egypt | Site metasploit.com

This Metasploit module uploads an executable file to the victim system, creates a share containing that executable, creates a remote service on each target system using a UNC path to that file, and finally starts the service(s). The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash.

tags | exploit, remote
advisories | CVE-1999-0504, OSVDB-3106
SHA-256 | 1266e769e519a09d7281cc5e6e4bf971bf2865f98a66227eb701a97be346b69f
Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow
Posted Aug 3, 2012
Authored by Carsten Eiram, juan | Site metasploit.com

This Metasploit module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, when handling a specially crafted sURL argument, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page.

tags | exploit, web, overflow, code execution
systems | cisco
advisories | CVE-2012-0284
SHA-256 | 5a88ff9a13dc712f648150200591ec804a09cb0631600c4db7449f3c17604a4b
Dell SonicWALL Scrutinizer 9 SQL Injection
Posted Aug 3, 2012
Authored by muts, sinn3r, Devon Kearns | Site metasploit.com

This Metasploit module exploits a vulnerability found in Dell SonicWall Scrutinizer. While handling the 'q' parameter, the PHP application does not properly filter the user-supplied data, which can be manipulated to inject SQL commands, and then gain remote code execution. Please note that authentication is NOT needed to exploit this vulnerability.

tags | exploit, remote, php, code execution
advisories | CVE-2012-2962, OSVDB-84232
SHA-256 | 2fd37f85b3b97b8f8c3c3028dc3ce694832b09af2ec361d954d869e453380a88
Microsoft Internet Explorer Fixed Table Col Span Heap Overflow
Posted Aug 1, 2012
Authored by Alexandre Pelletier | Site metasploit.com

This Metasploit module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code.

tags | exploit, overflow, javascript
advisories | CVE-2012-1876, OSVDB-82866
SHA-256 | aaf1f1bff58af8d0e890f965766d5618a2de8a76a4a4edc1da853071f2054364
WebPageTest Arbitrary PHP File Upload
Posted Aug 1, 2012
Authored by dun, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in WebPageTest's Upload Feature. By default, the resultimage.php file does not verify the user-supplied item before saving it to disk, and then places this item in the web directory accessable by remote users. This flaw can be abused to gain remote code execution.

tags | exploit, remote, web, php, code execution
advisories | OSVDB-83822
SHA-256 | 12ff7aba4342dfbb7f5a516aa01579569cbaf4c1cb86bb84f42047ca2ada8e0b
Microsoft Office SharePoint Server 2007 Remote Code Execution
Posted Jul 30, 2012
Authored by James Burton, juan, Oleksandr Mirosh | Site metasploit.com

This Metasploit module exploits a vulnerability found in SharePoint Server 2007 SP2. The software contains a directory traversal, that allows a remote attacker to write arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile request to the Office Document Conversions Launcher Service, which results in code execution under the context of 'SYSTEM'. The module uses uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of SharePoint on Windows 2003 Servers. It has been successfully tested on Office SharePoint Server 2007 SP2 over Windows 2003 SP2.

tags | exploit, remote, arbitrary, code execution
systems | windows
advisories | CVE-2010-3964, OSVDB-69817
SHA-256 | 7ad8e7d26bc7d8213c68e74fdb77fb2a0f223d16965a4e6425e8d2f9797435cd
Sysax Multi Server 5.64 Buffer Overflow
Posted Jul 29, 2012
Authored by Craig Freyman, Matt Andreko | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in the create folder function in Sysax Multi Server 5.64. This issue was fixed in 5.66. You must have valid credentials to trigger the vulnerability. Your credentials must also have the create folder permission and the HTTP option has to be enabled. This Metasploit module will log into the server, get your a SID token and then proceed to exploit the server. Successful exploits result in LOCALSYSTEM access. This exploit works on XP SP3, and Server 2003 SP1-SP2.

tags | exploit, web, overflow
SHA-256 | 121e5304fc0c68efcbe91a4bd17f067fad4fef74c609ee089fb5929981de2e57
Symantec Web Gateway 5.0.2.18 pbcontrol.php Command Injection
Posted Jul 27, 2012
Authored by muts, sinn3r | Site metasploit.com

This Metasploit module exploits a command injection vulnerability found in Symantec Web Gateway's HTTP service. While handling the filename parameter, the Spywall API does not do any filtering before passing it to an exec() call in proxy_file(), thus results in remote code execution under the context of the web server. Please note authentication is NOT needed to gain access.

tags | exploit, remote, web, code execution
advisories | CVE-2012-2953
SHA-256 | 0cd8a8da3d231693715d4e8b287a75415523666ac53647e469041b791662ac0b
Cisco Linksys PlayerPT ActiveX Control Buffer Overflow
Posted Jul 27, 2012
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page.

tags | exploit, web, overflow, code execution
systems | cisco
advisories | OSVDB-80297
SHA-256 | 2dfadd85c9c6ae2a3b6dbc4fd0a0377aac24947c5d90300dbf9bd50e9aa7ebe9
CuteFlow 2.11.2 Arbitrary File Upload
Posted Jul 27, 2012
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in CuteFlow version 2.11.2 or prior. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the 'upload/___1/' directory and then execute it.

tags | exploit, arbitrary
SHA-256 | 7e52dec1e5036e52df909f5beaef31339c50c613b21624d2406a52176b941892
Photodex ProShow Producer 5.0.3256 Buffer Overflow
Posted Jul 26, 2012
Authored by mr.pr0n, Julien Ahrens, juan | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow in Photodex ProShow Producer version 5.0.3256 in the handling of the plugins load list file. An attacker must send the crafted "load" file to victim, who must store it in the installation directory. The vulnerability will be triggered the next time ProShow is opened. The module has been tested successfully on Windows XP SP3 and Windows 7 SP1.

tags | exploit, overflow
systems | windows
advisories | OSVDB-83745
SHA-256 | bf2514d474a7b08d3b8119c8f11509c92a1414014f2de791e9a5e94b2b9e0c03
Simple Web Server Connection Header Buffer Overflow
Posted Jul 23, 2012
Authored by mr.pr0n, juan | Site metasploit.com

This Metasploit module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user can send a long string data in the Connection Header to cause an overflow on the stack when function vsprintf() is used, and gain arbitrary code execution. The module has been tested successfully on Windows 7 SP1 and Windows XP SP3.

tags | exploit, remote, web, overflow, arbitrary, code execution
systems | windows
SHA-256 | ef2c81d5811597767d04bfb232a9ea85a237262aae453dc634269ab733bcb34c
EGallery PHP File Upload Vulnerability
Posted Jul 23, 2012
Authored by Sammy FORGIT, juan | Site metasploit.com

This Metasploit module exploits a vulnerability found in EGallery 1.2 By abusing the uploadify.php file, a malicious user can upload a file to the egallery/ directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on Ubuntu 10.04.

tags | exploit, arbitrary, php, code execution
systems | linux, ubuntu
advisories | OSVDB-83891
SHA-256 | 526da632857518ba04c937502d05234c1849101abc35c576432b65f2a4fbe5d5
Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow
Posted Jul 19, 2012
Authored by Luigi Auriemma, juan | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x4c (PROXY_CMD_PREBOOT_TASK_INFO2) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).

tags | exploit, remote, overflow, tcp
systems | windows
advisories | CVE-2011-3176, OSVDB-80231
SHA-256 | eb8d23c0d1251c7dcb0480044c6de8f7f8d9c2d7e8de5b4a78afffe09b659c78
Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow
Posted Jul 19, 2012
Authored by Luigi Auriemma, juan | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x6c (PROXY_CMD_GET_NEXT_STEP) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).

tags | exploit, remote, overflow, tcp
systems | windows
advisories | CVE-2011-3175, OSVDB-80231
SHA-256 | 7d25707a364b6e8cc80a0819d82a572cf3f8dd0815e6c1b374eaa52379c9f479
Page 1 of 4
Back1234Next

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close