Author : rgod
Page 1 of 409 exploits
 |
Title | Author | Platform | Source | Description | Date |
|---|---|---|---|---|---|---|
|
HP Intelligent Management Center Arbitrary File Upload | rgod | na | juan vazquez | This Metasploit module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated file uploads and handling zip contents in a insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file upload. This Metasploit module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. | March 26 |
|
|
Foxit Reader Plugin URL Processing Buffer Overflow | rgod | na | Sven Krewitt | This Metasploit module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530). | February 14 |
|
|
Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution | rgod | na | juan vazquez | This Metasploit module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll ActiveX. Several methods in the GWCalServer control use user provided data as a pointer, which allows to read arbitrary memory and execute arbitrary code. This Metasploit module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The JRE6 needs to be installed to achieve ASLR bypass. | February 12 |
|
|
Foxit Reader 5.4.4.1128 Plugin For Firefox Buffer Overflow | rgod | na | retrogod.altervista.org | The Foxit Reader plugin for Firefox suffers from an overly long query string remote stack buffer overflow vulnerability in npFoxitReaderPlugin.dll. Versions 5.4.4.1128 and below are affected. | January 8 |
|
|
NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution | rgod | na | juan vazquez | This Metasploit module abuses a lack of authorization in the NetIQ Privileged User Manager service (unifid.exe) to execute arbitrary perl code. The problem exists in the ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges. | November 21 |
|
|
KeyHelp ActiveX LaunchTriPane Remote Code Execution | rgod | na | juan vazquez | This Metasploit module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42. When the control is installed with these products, the function "LaunchTriPane" will use ShellExecute to launch "hh.exe", with user controlled data as parameters. Because of this, the "-decompile" option can be abused to write arbitrary files on the remote system. Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute it. Please note that this module currently only works for Windows before Vista. On the other hand, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3 | October 11 |
|
|
Avaya IP Office Customer Call Reporter Command Execution | rgod | na | juan vazquez | This Metasploit module exploits an authentication bypass vulnerability on Avaya IP Office Customer Call Reporter, which allows a remote user to upload arbitrary files through the ImageUpload.ashx component. It can be abused to upload and execute arbitrary ASP .NET code. The vulnerability has been tested successfully on Avaya IP Office Customer Call Reporter 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2. | October 8 |
|
|
HP ALM Remote Code Execution | rgod | na | juan vazquez | This Metasploit module exploits a vulnerability within the XGO.ocx ActiveX Control installed with the HP Application Lifecycle Manager Client. The vulnerability exists in the SetShapeNodeType method, which allows the user to specify memory that will be used as an object, through the node parameter. It allows to control the dereference and use of a function pointer. This Metasploit module has been successfully tested with HP Application Lifecycle Manager 11.50 and requires JRE 6 in order to bypass DEP and ASLR. | September 25 |
|
|
Oracle BTM FlashTunnelService Remote Code Execution | rgod | na | sinn3r | This Metasploit module exploits abuses the FlashTunnelService SOAP web service on Oracle Business Transaction Management 12.1.0.7 to upload arbitrary files, without authentication, using the WriteToFile method. The same method contains a directory traversal vulnerability, which allows to upload the files to arbitrary locations. In order to execute remote code two techniques are provided. If the Oracle app has been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web root. If a new Domain has been used to deploy the Oracle application, the Windows Management Instrumentation service can be used to execute arbitrary code. Both techniques has been successfully tested on default installs of Oracle BTM 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are provided, but the user can configure the traversal depth using the DEPTH option. | September 15 |
|
|
HP SiteScope Remote Code Execution | rgod | na | juan vazquez | This Metasploit module exploits a code execution flaw in HP SiteScope. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the getSiteScopeConfiguration operation, available through the APISiteScopeImpl AXIS service, to retrieve the administrator credentials and subsequently abuses the UploadManagerServlet to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2. | September 6 |
|
|
Oracle BTM Server 12.1.0.2.7 Remote Code Execution | rgod | na | retrogod.altervista.org | Oracle Business Transaction Management Server version 12.1.0.2.7 suffers from a remote code execution vulnerability in the FlashTunnelService WriteToFile message. Proof of concept included. | August 7 |
|
|
AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution | rgod | na | retrogod.altervista.org | AOL products downloadUpdater2 plugin suffers from a remote code execution vulnerability. Proof of concept included. | August 7 |
|
|
Oracle BTM 12.1.0.2.7 Remote File Deletion | rgod | na | retrogod.altervista.org | Oracle Business Transaction Management Server version 12.1.0.2.7 suffers from a FlashTunnelService remote file deletion vulnerability. | August 7 |
|
|
AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution | rgod | na | juan | This Metasploit module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run arbitrary commands on the victim machine. This Metasploit module has been successfully tested with the ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3. | July 9 |
|
|
IBM Rational ClearQuest CQOle Remote Code Execution | rgod | na | juan vazquez | This Metasploit module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest versions prior to 7.1.1.9, 7.1.2.6 or 8.0.0.2 which allows reliable remote code execution when DEP is not enabled. | July 3 |