This Metasploit module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates.
832d568f84262995932885096374fd29This Metasploit module exploits a vulnerability in Icona SpA C6 Messenger version 1.0.0.1. The vulnerability is in the Downloader ActiveX Control (DownloaderActiveX.ocx). The insecure control can be abused to download and execute arbitrary files in the context of the currently logged-on user.
1b0bd38a24487d48cf49672160173d79This Metasploit module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player's ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
e13897802c519c03ae5164b1d2ecb919This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the "_OVBuildPath" function within "ov.dll". There are no stack cookies, so exploitation is achieved by overwriting the saved return address. The vulnerability is due to the use of the function "_OVConcatPath" which finally uses "strcat" in a insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation path.
d931eb96f3799819a223e13af334d81aThis Metasploit module allows remote attackers to place arbitrary files on a users file system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embedding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista.
b01ade0319dd4987b8285b4f21c4ed2eThis Metasploit module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially crafted U3D data into a PDF document. A heap spray via JavaScript is used in order to ensure that the memory used by the invalid pointer issue is controlled.
0b78b73d96782aa18205e750b111a977This Metasploit module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job Scheduler is implemented via the component extjob.exe which listens on a named pipe called "orcljsex<SID>" and execute arbitrary commands received throw this channel via CreateProcess(). In order to connect to the Named Pipe remotely SMB access is required. This Metasploit module has been tested on Oracle 10g Release 1 where the Oracle Job Scheduler runs as SYSTEM on Windows but it's disabled by default.
b4e7d842beab7ffc75f28b136eb9d163This Metasploit module abuses a command execution vulnerability within the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists within the 'mappy' search command which allows to run python code. To exploit this vulnerability a valid Splunk user with the admin role is required. Unfortunately, Splunk uses a default credential of 'admin:changeme' for admin access, which is used to leverage our attack. The Splunk Web interface runs as SYSTEM on Windows and as root on Linux by default.
294cfa16c9506b36e2aaf7e1e00192ffThis Metasploit module exploits an arbitrary command execution vulnerability in Family Connections 2.7.1. It's in the dev/less.php script and is due to an insecure use of system(). Authentication isn't required to exploit the vulnerability but register_globals must be set to On.
9564c920a76ec78496ab2330c6d14428This Metasploit module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc).
cdf6369de287616478ab5150bd275d56This Metasploit module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the execution flow. This results arbitrary code execution under the context of the user.
6f5954aac28ff3859ec7c0d6b3cb1112This Metasploit module combines two separate issues within Support Incident Tracker versions 3.65 and below to upload arbitrary data and thus execute a shell. The two issues exist in ftp_upload_file.php. The first vulnerability exposes the upload dir used to store attachments. The second vulnerability allows arbitrary file upload since there is no validation function to prevent from uploading any file type. Authentication is required to exploit both vulnerabilities.
739ddfe0d298d16369d8b7893cefd2efThis Metasploit module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack-based buffer overflow. This results in arbitrary code execution under the context of the user.
52f4fae2645df04c9e459cc1c601657eThis Metasploit module exploits an arbitrary PHP code execution flaw in the phpScheduleIt software. This vulnerability is only exploitable when the magic_quotes_gpc PHP option is 'off'. Authentication is not required to exploit the bug. Version 1.2.10 and earlier of phpScheduleIt are affected.
179505f049f45b2c6e2fcf649864c209This Metasploit module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via a specially crafted id parameter in a String element. When viewing a malicious PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a buffer and execute arbitrary code. This exploit has been tested on systems such as Windows XP SP3, Windows Vista, and Windows 7.
dc97219886104e2e0f19efe547d104d7This Metasploit module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted "fmt" chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7.
6fd55d2d1f45a9927dfae4e3fc454d59This Metasploit module allows remote attackers to place arbitrary files on a users file system by abusing via Directory Traversal attack the "saveXML" method from the "XMLSimpleAccessor" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embedding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista.
0b4aa11995c2049a6af2ce9d7ff49c18This Metasploit module exploits a buffer overflow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0's so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.
a4fc75931c79408d2af8663e709a2fc9This Metasploit module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x this module will try to bypass authentication instead by sending lowercase HTTP verbs.
06ffb6ce20215f71d9e5d4728ef13549This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code. Please note that this module only works against a specific build (ie. NNM 7.53_01195)
1a32c91dbc2998a78f72a8842250d61eThis Metasploit module exploits a stack based overflow vulnerability in the handling of the DXF files by Microsoft Visio 2002. Revisions prior to the release of the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application is used to import a specially crafted DXF file, while parsing the HEADER section of the DXF file. To trigger the vulnerability an attacker must convince someone to insert a specially crafted DXF file to a new document, go to Insert -> CAD Drawing.
92be6ebfb8678a09411078e55cbd48eb
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed