The Windows Client Side Caching Driver (csc.sys) present in Microsoft Windows is vulnerable to a memory corruption vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by creating a specially crafted IOCTL request. The steps performed by the binary exploit are: Null Pointer write to arbitrary kernel R/W through a CscDevFcbXXXControlFile routine which is called by RDBSS to pass a device FCB control request to the network mini-redirector not validating the input buffer in IOCTL 0x001401a3 Overwrite the thread's PreviousMode through the NULL pointer and get an arbitrary read/write memory primitive via NtWriteVirtualMemory/NtReadVirtualMemory SYSTEM token stealing Agent deployment through process injection on the LSASS.exe process
In PHP, when using Apache and PHP-CGI on Windows and if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow remote attackers to pass options to PHP binary being run, leading to execute system commands in the context of the affected application. This module will exploit the vulnerability by using the "cgi.force_redirect=0" parameter and attacking the "/php-cgi/php-cgi.exe" endpoint; which are required to exploit XAMPP on Windows. If the target is vulnerable but is not XAMPP, then the ENDPOINT parameter must point to a proper php script.
In PHP, when using Apache and PHP-CGI on Windows and if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow remote attackers to pass options to PHP binary being run, leading to execute system commands in the context of the affected application. This module will exploit the vulnerability by using the "cgi.force_redirect=0" parameter and attacking the "/php-cgi/php-cgi.exe" endpoint; which are required to exploit XAMPP on Windows. If the target is vulnerable but is not XAMPP, then the TARGET parameter must point to a proper php script.
A java unsafe reflection vulnerability present in Gremlin scripting feature of Apache HugeGraph allows remote attackers to execute system commands in the context of the affected application. This module exploits the vulnerability by sending scripts to the vulnerable endpoint (/gremlin) that bypasses the checks made by the callFromWorkerWithClass function. The bypass consist in changing the current thread name to something else than doesn't contain "gremlin-server-exec" nor "task-worker".
A java unsafe reflection vulnerability present in Gremlin scripting feature of Apache HugeGraph allows remote attackers to execute system commands in the context of the affected application. This module exploits the vulnerability by sending scripts to the vulnerable endpoint (/gremlin) that bypasses the checks made by the callFromWorkerWithClass function. The bypass consist in changing the current thread name to something else than doesn't contain "gremlin-server-exec" nor "task-worker".
A directory traversal vulnerability in the WebResourceServiceImpl class of org.sonatype.nexus.internal.webresources allows unauthenticated remote attackers to download any file, including system files outside of Sonatype Nexus Repository Manager application scope. This module exploits the directory traversal to download the file specified in the "FILE PATH" parameter and to save it locally in the location specified in the "OUTPUT PATH" parameter.
Subscribe to Exploits