This exploit targets HP-UX 11.11/11.0 to gain local root shell access. It compiles the code using cc and executes it with the command './x_sw'. The exploit has been tested on HP-UX B11.11 and HP-UX B11.0. It should be used at your own risk.
This exploit allows an attacker to inject malicious code into a CSV file in Joomla versions 3.9.0 to 3.9.7. By registering a new user with a specially crafted name, the attacker can execute arbitrary commands on the target system.
There is a CSV injection vulnerability in the Export function of the Search Meter plugin version. The payload is introduced in the search bar in Wordpress and when the CSV file is exported and opened in Excel, the payload gets executed.
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a .... substring, allowing an attacker to enumerate file existence based on the returned information.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
This module can detect and exploit the backdoor of PHPStudy.
This exploit targets the isusweb.dll file in Macrovision Installshield. It overwrites the Structured Exception Handling (SEH) to gain control of the program flow. The exploit includes shellcode that executes the calc.exe program. Tested on Windows XP SP2 (fully patched) English with IE6 and isusweb.dll version 5.1.100.47363.
This module exploits an out-of-bounds read of an attacker-controlled string in OpenSMTPD's MTA implementation to execute a command as the root or nobody user, depending on the kind of grammar OpenSMTPD uses.
This module exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certains Nginx + PHP-FPM configurations are exploitable. This is a port of the original neex's exploit code. First, it detects the correct parameters (Query String Length and custom header length) needed to trigger code execution. This step determines if the target is actually vulnerable (Check method). Then, the exploit sets a series of PHP INI directives to create a file locally on the target, which enables code execution through a query string parameter. This is used to execute normal payload stagers. Finally, this module does some cleanup by killing local PHP-FPM workers (those are spawned automatically once killed) and removing the created local file.
This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ 5.x before 5.11.2 for Windows. The module tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..admin using an HTTP PUT request with the default ActiveMQ credentials admin:admin (or other credentials provided by the user). It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell.
Services By CQR