This exploit targets the isusweb.dll file in Macrovision Installshield. It overwrites the Structured Exception Handling (SEH) to gain control of the program flow. The exploit includes shellcode that executes the calc.exe program. Tested on Windows XP SP2 (fully patched) English with IE6 and isusweb.dll version 5.1.100.47363.
This module exploits an out-of-bounds read of an attacker-controlled string in OpenSMTPD's MTA implementation to execute a command as the root or nobody user, depending on the kind of grammar OpenSMTPD uses.
This module exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certains Nginx + PHP-FPM configurations are exploitable. This is a port of the original neex's exploit code. First, it detects the correct parameters (Query String Length and custom header length) needed to trigger code execution. This step determines if the target is actually vulnerable (Check method). Then, the exploit sets a series of PHP INI directives to create a file locally on the target, which enables code execution through a query string parameter. This is used to execute normal payload stagers. Finally, this module does some cleanup by killing local PHP-FPM workers (those are spawned automatically once killed) and removing the created local file.
This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ 5.x before 5.11.2 for Windows. The module tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..admin using an HTTP PUT request with the default ActiveMQ credentials admin:admin (or other credentials provided by the user). It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell.
This exploit takes advantage of a vulnerability in the IBM Domino Web Access Upload Module inotes6.dll. It allows an attacker to overwrite the Structured Exception Handler (SEH) and execute arbitrary code. The exploit has been tested on Windows XP SP2 with IE6 and inotes6.dll versions 6.0.40.0 and 6.0.48.0. The shellcode used in this exploit executes the 'calc.exe' command.
Sentrifugo HRMS version 3.2 and possibly before are affected by Blind SQL Injection in deptid parameter through POST request in "/sentrifugo/index.php/holidaygroups/add" resource. This allows a user of the application without permissions to read sensitive information from the database used by the application.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3 and prior in order to execute arbitrary commands as root. This module takes advantage of a command injection vulnerability in the 'target' parameter of the AutoDiscovery functionality within the EON web interface in order to write an Nmap NSE script containing the payload to disk. It then starts an Nmap scan to activate the payload. This results in privilege escalation because the 'apache' user can execute Nmap as root. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via two methods, i.e. by generating an API access token based on a hardcoded key, and via SQLI. This module has been successfully tested on EyesOfNetwork 5.3 with API version 2.4.2.
The RICOH Aficio SP 5200S Printer is vulnerable to code injection through the 'entryNameIn' parameter in the 'adrsGetUser.cgi' HTTP POST request. An attacker can inject malicious HTML code and execute it in the context of the victim's browser.
Services By CQR
