This Metasploit module exploits an authentication bypass vulnerability in Solarwinds Storage Manager. The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication with specially crafted URLs. After bypassing authentication, is possible to use a file upload function to achieve remote code execution. This Metasploit module has been tested successfully in Solarwinds Store Manager Server 5.1.0 and 5.7.1 on Windows 32 bits, Windows 64 bits and Linux 64 bits operating systems.
8e0158bd6ed6894515f4b2ee12c6dea89374d232c9a98949f115bcf2c61c7927This Metasploit module exploits an Arbitrary File Upload vulnerability in Oracle Event Processing 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be abused to upload a malicious file onto an arbitrary location due to a directory traversal flaw, and compromise the server. By default Oracle Event Processing uses a Jetty Application Server without JSP support, which limits the attack to WbemExec. The current WbemExec technique only requires arbitrary write to the file system, but at the moment the module only supports Windows 2003 SP2 or older.
354b179956fa5730561cdacb3cb83ea87cbbaf8af2b2d69f7b545cc36d2d4223This Metasploit module exploits a code execution flaw in HP AutoPass License Server. It abuses two weaknesses in order to get its objective. First, the AutoPass application doesn't enforce authentication in the CommunicationServlet component. On the other hand, it's possible to abuse a directory traversal when uploading files thorough the same component, allowing to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.
dd2fd87c80023443848e47bf145fc594ce2617436c0759a85eb64c8248dbcdb7This Metasploit module abuses several directory traversal flaws in Rocket Servergraph Admin Center for Tivoli Storage Manager. The issues exist in the fileRequestor servlet, allowing a remote attacker to write arbitrary files and execute commands with administrative privileges. This Metasploit module has been tested successfully on Rocket ServerGraph 1.2 over Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu 12.04 64 bits.
6e5d60b2a820df1fa23141aca83b453d17a395a8fac173dda8ddc42205721c6fThis Metasploit module exploits a code execution flaw in Symantec Workspace Streaming. The vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the as_agent.exe service, which allows for uploading arbitrary files under the server root. This Metasploit module abuses the auto deploy feature in the JBoss as_ste.exe instance in order to achieve remote code execution. This Metasploit module has been tested successfully on Symantec Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single machine deployment, and also in the backend role in a multiple machine deployment.
cb1b416c6a81192072db5387c939127cc89639e3ba035c140a68125e64bbc407This Metasploit module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability is due to a dangerous usage of strcpy-like function, and occurs while parsing malformed XFDL files, with a long fontname value. This Metasploit module has been tested successfully on IBM Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.
8c139782a403921bdba77c8856a91b24673a1e9c2f049de54c66647ee1019e52This Metasploit module exploits a code execution flaw in HP SiteScope. The vulnerability exists in the APISiteScopeImpl web service, specifically in the issueSiebelCmd method, which allows the user to execute arbitrary commands without authentication. This Metasploit module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2, Windows 2008 and CentOS 6.5.
b961edaf771081e73dba11e81febc940689847d6bed6412bc6f0a4ad23ff2aaeEMC Data Protection Advisor version 5.8 sp5 suffers from a DPA Illuminator EJBInvokerServlet remote code execution vulnerability. Proof of concept code included.
bec0bb61454387d713dc7ce4ade6cefcbc27df7b553ab6873ee83cad51e2a1c6This Metasploit module exploits a code execution flaw in Cisco Data Center Network Manager. The vulnerability exists in processImageSave.jsp, which can be abused through a directory traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss application server feature is used to achieve remote code execution. This Metasploit module has been tested successfully on Cisco Prime Data Center Network Manager 6.1(2) on Windows 2008 R2 (64 bits).
a8b1e9381f38a27ba3bb8e6624bca069e80ca49aa765a1ba3132167371bfd9bdSymantec Workspace Streaming version 7.5.0.493 suffers from a SWS streamlet engine invoker servlets remote code execution vulnerability. Proof of concept code included.
013fe724276f3efdcdb2e04f6e5462344632c6aeb84259e399b9fb314b8d088dThis Metasploit module exploits a directory traversal vulnerability on the version 5.2 of the BIMS component from the HP Intelligent Management Center. The vulnerability exists in the UploadServlet, allowing the user to download and upload arbitrary files. This Metasploit module has been tested successfully on HP Intelligent Management Center with BIMS 5.2 E0401 on Windows 2003 SP2.
259ed051cf78d79d3dc1060b81ae4b7df6b46139d8805a2a7c01408edc69946dApache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) marshalled object remote code execution exploit.
b275ef861edfedcc0c2663fb34bc9cd3f90533f1d025aca7c3f439465142c3d5This Metasploit module exploits the SEListCtrlX ActiveX installed with the SIEMENS Solid Edge product. The vulnerability exists on several APIs provided by the control, where user supplied input is handled as a memory pointer without proper validation, allowing an attacker to read and corrupt memory from the target process. This Metasploit module abuses the methods NumChildren() and DeleteItem() in order to achieve memory info leak and remote code execution respectively. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP SP3 and Windows 7 SP1, using Solid Edge 10.4.
e226e603a3f8f22c21c0f2712cbfeaa7a0838b3fecca9d66915509a6db1d2185This Metasploit module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This Metasploit module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0.
c9ac22deeaaeec7f4f88fb2108052d3e62513624019a0ece3319ace029dc61b8This Metasploit module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to upload the file. This Metasploit module has been tested successfully on the SNAC server installed with HP ProCurve Manager 4.0.
035ab4f7cfde066435067dd5814bd3a0184f062d3375d4af40bf2b00ed890298This Metasploit module exploits a code execution flaw in HP SiteScope. The vulnerability exists on the opcactivate.vbs script, which is reachable from the APIBSMIntegrationImpl AXIS service, and uses WScript.Shell.run() to execute cmd.exe with user provided data. Note which the opcactivate.vbs component is installed with the (optional) HP Operations Agent component. The module has been tested successfully on HP SiteScope 11.20 (with HP Operations Agent) over Windows 2003 SP2.
02888ebdda6dc97a16fcb507f825f9cfbf26bc98824bc1efc03e5b0ff9d28b2fThis Metasploit module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method where user provided data is used as a memory pointer. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with HP LoadRunner.
a5e106a110e475d117b3500d373abbf472e7b81cec4cfdde2c8f9d7957853a9bThis Metasploit module exploits a command injection vulnerability on the Oracle Endeca Server 7.4.0. The vulnerability exists on the createDataStore method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This Metasploit module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).
fdafe64c526b291f8bc73bfd5eb8e62b37efd1524e773b087d3cc9cb3a8c5297This Metasploit module exploits a stack based buffer overflow on Cogent DataHub 7.3.0. The vulnerability exists in the HTTP server - while handling HTTP headers, a strncpy() function is used in a dangerous way. This Metasploit module has been tested successfully on Cogent DataHub 7.3.0 (Demo) on Windows XP SP3.
159df1a050ad08d1ce4d2748e5bada31fccd4a02cc740c4ae686bf707ba3327fThis Metasploit module attempts to gain remote code execution on a server running Novell Zenworks Mobile Device Management.
c205bff74ab5ba4eec1ea5921658071d152b4c705815f098f1d662c072858873This Metasploit modules exploits a vulnerability found in the Oracle WebCenter Content CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where user controlled input is used to call ShellExecuteExW(). This Metasploit module abuses the control to execute an arbitrary HTA from a remote location. This Metasploit module has been tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle WebCenter Content 11.1.1.6.0.
b0e1c2b4d5000f5d54ab03faad81b1e6f76cdaf93878521b78deb176531d5582SIEMENS Solid Edge ST4 SEListCtrlX active-x control SetItemReadOnly suffers from an arbitrary memory rewrite remote code execution vulnerability. Proof of concept included.
6c6ea1a9c072ee2af175d48c30c8a9025b2eddad5dddcf7ee400ddb53f111796SIEMENS Solid Edge ST4 WebPartHelper active-x control RFMSsvs!JShellExecuteEx suffers from a remote command execution vulnerability. Proof of concept included.
bba4a31d339af5605fe114b27057d1acf37770767071972f2e917ba1e3684b20Borland Silk Central version 12.1 TeeChart Pro active-x control suffers from an AddSeries remote code execution vulnerability.
3487efa60e709db37782fa39c6eb16e87b57eb70ce5b1c0251f9a7ceec7a159aBorland Caliber version 11.0 Quiksoft EasyMail SMTP object suffers from buffer overflow vulnerabilities.
aae8950056570990cc0938976eec20957c20f9394f5b40c527b4b831ee1b5e5f
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed