The LiteManager 4.5.0 software has insecure file permissions that allow an attacker to escalate privileges on the system. By replacing the legitimate ROMFUSClient.exe file with a malicious one, an attacker can execute arbitrary code with elevated privileges. This exploit code adds a new user, adds the user to the Administrators group, and grants full access to the C drive. When a more privileged user connects and uses the ROMFUSClient IDE, the privilege escalation is successful.
The ProShow Producer 9.0.3797 software has an unquoted service path vulnerability in the 'ScsiAccess' service. This vulnerability allows an attacker with local access to the system to escalate privileges and execute arbitrary code.
Product is vulnerable to host header injection because the host header can be changed to something outside the target domain (ie.evil.com) and cause it to redirect to that domain instead.
The --url parameter included in the GNU Mailutils maidag utility can be abused to write to arbitrary files on the host operating system, leading to local privilege escalation. By default, maidag is set to execute with setuid root permissions.
WARNING: Successful execution of this module results in /etc/passwd being overwritten. This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.
This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. A valid administrator session ID is required in lieu of untested SSRF.
The category.php and editadgroup.php files in Wallpaper site 1.0.09 are vulnerable to SQL Injection. An attacker can exploit the vulnerability by injecting SQL code in the catid parameter of category.php and the groupid parameter of editadgroup.php. This can lead to unauthorized access to sensitive information such as login credentials and passwords.
This is a remote crash exploit for PopMessenger <= 1.60 (20 Sep 2004). The exploit sends multiple packets containing an incorrect base64 character in the message field, causing the program to crash.
This module exploits a vulnerability in Bludit. A remote user could abuse the uuid parameter in the image upload feature in order to save a malicious payload anywhere onto the server, and then use a custom .htaccess file to bypass the file extension check to finally get remote code execution.
This module uses the FreeSWITCH event socket interface to execute system commands using the `system` API command. The event socket service is enabled by default and listens on TCP port 8021 on the local network interface. This module has been tested successfully on FreeSWITCH versions: 1.6.10-17-726448d~44bit on FreeSWITCH-Deb8-TechPreview virtual machine; 1.8.4~64bit on Ubuntu 19.04 (x64); and 1.10.1~64bit on Windows 7 SP1 (EN) (x64).
Services By CQR
