This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes an EXE and then (ab)uses the impersonation vulnerability a second time to create a secondary RPC connection to the PIPEATSVC named pipe. We then proceed to create a remote AT job using a blind NetrJobAdd RPC call.
This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a request (get/write) for an overly long file name.
This exploit dynamically creates an applet via the Msf::Exploit::Java mixin, converts it to a .jar file, then signs the .jar with a dynamically created certificate containing values of your choosing. This is presented to the end user via a web page with an applet tag, loading the signed applet. The user's JVM pops a dialog asking if they trust the signed applet and displays the values chosen. Once the user clicks 'accept', the applet executes with full user permissions. The java payload used in this exploit is derived from Stephen Fewer's and HDM's payload created for the CVE-2008-5353 java deserialization exploit.
Input passed to the 'description.php' script is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
This exploit allows an attacker to traverse the directory structure of an iPod Touch/iPhone device running the iFileExplorer application. The exploit is achieved by sending a crafted URL to the device, which allows the attacker to access the AddressBook.sqlitedb file. The attacker can then use SQLite commands to extract the address book information from the device.
An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. This request contains a specially crafted SQL query that can be used to extract data from the database, modify data, delete data, or perform other malicious actions.
A vulnerability in the COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 allows an unauthenticated attacker to gain access to the router's passwords. By sending a GET request to the router's password.cgi page, the attacker can view the router's passwords in plaintext.
This exploit allows an attacker to execute arbitrary code on a vulnerable system. It is triggered by sending a specially crafted HTTP request to the vulnerable system. The request contains a malicious command that is executed on the vulnerable system.
A SQL injection vulnerability exists in Limelight Software Ltd's article.php page, which allows an attacker to inject malicious SQL queries into the application. This can be exploited to manipulate the application's database and gain access to sensitive information. The vulnerability is present when user-supplied input is not properly sanitized before being used in an SQL query.
There is directory traversal vulnerability in the TIOD. Exploit Testing involves connecting to the server via FTP and using the 'dir' and 'get' commands to traverse the directory structure and retrieve the 'passwd' file.
Services By CQR