This Metasploit module presents a directory of file extensions that can lead to code execution when opened from the share. The default EXTENSIONS option must be configured to specify a vulnerable application type.
005913ddf25b7acabbb0edd6681266dc995949db8aea2e77e72ddf197898b629This Metasploit module exploits a format string vulnerability within version 10.0.4.x and 10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX control (epi.dll). By calling the 'AuthCredential' method with a specially crafted Unicode format string, an attacker can cause memory corruption and execute arbitrary code. Unfortunately, it does not appear to be possible to indirectly re-use existing stack data for more reliable exploitation. This is due to several particulars about this vulnerability. First, the format string must be a Unicode string, which uses two bytes per character. Second, the buffer is allocated on the stack using the 'alloca' function. As such, each additional format specifier (%x) will add four more bytes to the size allocated. This results in the inability to move the read pointer outside of the buffer. Further testing showed that using specifiers that pop more than four bytes does not help. Any number of format specifiers will result in accessing the same value within the buffer. NOTE: It may be possible to leverage the vulnerability to leak memory contents. However, that has not been fully investigated at this time.
44c91575bcf5cfcee3625ae9794e540cb1b6e65be40393ce904c9bd2a2d9d756This Metasploit module exploits a buffer overflow in Apple QuickTime 7.6.6. When processing a malformed SMIL uri, a stack-based buffer overflow can occur when logging an error message.
eb6f5cf465624dd5e4de136d92a011d658eff5c54e74834f9b55ac758fdc68b2This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This Metasploit module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.
9da276a24a186e88eecee809f9c847b33c7567cfb9d16ca26be2ac512e489408This Metasploit module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which leads to a stack based buffer overflow. NOTE: EasyFTP allows anonymous access by default. However, in order to access the 'MKD' command, you must have access to an account that can create directories. After version 1.7.0.12, this package was renamed "UplusFtp". This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information.
64b443540fdeb96bc8d215db2cda4309e4f7a47ab91c999760aa2ec1b4c4e8cbThis Metasploit module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11. credit goes to Karn Ganeshan. NOTE: Although, this is likely to exploit the same vulnerability as the 'easyftp_cwd_fixret' exploit, it uses a slightly different vector.
e0ad32d2bd863526c4c30afdbdbb2363ca018d9f92d5dd8adb0cbbb6853e1250This Metasploit module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing the 'path' parameter supplied to an HTTP GET request, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. After version 1.7.0.12, this package was renamed "UplusFtp". Due to limited space, as well as difficulties using an egghunter, the use of staged, ORD, and/or shell payloads is recommended.
db54552b60a46cc551e6f2b027066ebce8c0bf14e91553ea190e2a4206a71b5aThis Metasploit module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods with an overly long first argument, an attacker can overrun a buffer and execute arbitrary code.
e26ab2a5222c307d647627ec82c5fdecaea972d112ff93a4e71a4e9cde863488This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This Metasploit module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.
02b7a4d416053d7ead37976f6d7d16df09d4d947e59b569a8c904c94108c01afThis exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the "InputBuffer", but it didn't seem possible to get the chunk to be processed again prior to process exit. In order to gain code execution, this exploit attempts to overwrite a "talloc chunk" destructor function pointer. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the nx memory protection. NOTE: It is possible to make exploitation attempts indefinitely since Samba forks for user sessions in the default configuration.
62e4dbdef10ca045ef1ec88681d7b84288ebd9bf3ef44718fc8ad5724142a978This Metasploit module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment() method.
8bc89c8613979d44be9747d0a887fce9f0459d5d6182d9efc465b994ee91205bThis Metasploit module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. NOTE: This Metasploit module will leave a metasploit payload in the IIS scripts directory.
641ff99aa7811add9ad4dcc768fb2145b5eaa76f8f0c9f211e656f570bea2703This Metasploit module exploits a stack buffer overflow in versions v9.7 through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of IDEAL Migration. All versions are suspected to be vulnerable. By creating a specially crafted ipj file, an attacker may be able to execute arbitrary code. NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
d487bf3a03cfdebd126e3b50fa65fc5bba22a39f6bc020af9d9f9429f2ff2e0cThis exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This Metasploit module was tested successfully against master.exe as included with Real Network\\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This Metasploit module does not work with NX/XD enabled but could be modified easily to do so. The address
aac546a12d692ebd057d13d7aa3574502e33b1a073c8fc628113830052ea405cThis Metasploit module exploits a vulnerability in the OpenX advertising software. In versions prior to version 2.8.2, authenticated users can upload files with arbitrary extensions to be used as banner creative content. By uploading a file with a PHP extension, an attacker can execute arbitrary PHP code. NOTE: The file must also return either "png", "gif", or "jpeg" as its image type as returned from the PHP getimagesize() function.
2e56b8901b6db7e4ccae093ae10e96fb0dd8d90f34d2fca0bd7b5f5294957b13This Metasploit module exploits a buffer overflow in Sun Java Web Server prior to version 7 Update 8. By sending an "OPTIONS" request with an overly long path, attackers can execute arbitrary code. In order to reach the vulnerable code, the attacker must also specify the path to a directory with WebDAV enabled. This exploit was tested and confirmed to work on Windows XP SP3 without DEP. Versions for other platforms are vulnerable as well. The vulnerability was originally discovered and disclosed by Evgeny Legerov of Intevydis.
c3475168b519e0a4d79aa02d77825b2c1bfbe2132656b22f2313752701602378This Metasploit module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts.
4b384496a9fedaf168ba74cf8d8925d3e9590dc5accf8891f160d2def02e74d1This Metasploit module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 "are believed to be affected by this vulnerability." In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
aed095959e7fb49ead9d940a99e35f4900f138562041229b74340d7ea5e82167This Metasploit module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 "are believed to be affected by this vulnerability."
2e5503b022c0eff22f86ef53b4b82291d06f5226c0191d0bf171a4153b4e71acThis Metasploit module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CUE files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CUE file. NOTE: A file with the same base name, but the extension of "bin" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.
fc09c8dc01c38a077fed4faed0017f5c4c92e09f67b17b911db36ba4850952aeThis Metasploit module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CCD files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CCD file. NOTE: A file with the same base name, but the extension of "img" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.
30e02aa6984aacb11b71fa29122741f9292b8c26198078a7f112e2fb44fa522cThis Metasploit module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.
3a7d2ec293fa5beb18d660430498e335a3cf47a9b9772d0f9676936c0d86d48dThis Metasploit module exploits a stack-based buffer overflow in David Manthey's Orbital Viewer. When processing .ORB files, data is read from file into a fixed-size stack buffer using the fscanf function. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an ORB file.
46ef3749fafdda88696ed761f5421d74f5a63031de7f9f8a7eedcc6d42bda3cdThis Metasploit module allows attackers to execute code via the 'WriteFile' unsafe method of Chilkat Software Inc's Crypt ActiveX control. This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to execute our payload immediately. However, this method requires that the victim user be browsing with Administrator. Additionally, this method will not work on newer versions of Windows. NOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at the time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.
f5fc358c931e5cad863d48c12b7b5bd2f2586f9cca6246339d327cfef13918bdThis Metasploit module exploits a stack-based buffer overflow in Ultra Shareware's Office Control. When processing the 'HttpUpload' method, the arguments are concatenated together to form a command line to run a bundled version of cURL. If the command fails to run, a stack-based buffer overflow occurs when building the error message. This is due to the use of sprintf() without proper bounds checking. NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified.
8a257918eee93537e405cc218701960973136185e85d5e2b8f61efc33ae7b6b3
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed