Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet. The "Mark Of The Web" is not transferred from the Zipped File into the Unzipped File if the target is vulnerable.
This module executes a program designed to check for a buffer overflow in glibc's getaddrinfo function. Multiple stack-based buffer overflows in the send_dg and send_vc functions in the libresolv library in the GNU C Library allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family.
This module executes a program designed to test a buffer overflow in glibc's __nss_hostname_digits_dots function. The function is used by the gethostbyname*() functions family used for name resolution. Under some circumstances, the use of those functions when the vulnerable underlying function is present, may lead to remote code execution, privilege escalation, or information disclosure.
An insufficient input validation leading to memory overread in Citrix NetScaler ADC and Citrix NetScaler Gateway when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server may allow unauthenticated remote attackers to exfiltrate cookies, session IDs, or passwords from the target application. The vulnerability is reached via the /p/u/doAuthentication.do endpoint. This module will attempt to trigger the vulnerability to determine if the target system is vulnerable.
This module exploits a vulnerability in Microsoft Management Console (MMC). This module runs a malicious web server on the CORE IMPACT Console and waits for an unsuspecting user to trigger the exploit by connecting to the web server. The Microsoft Management Console contains a security flaw that allows remote code execution via malicious .msc files with embedded ActiveX control. An attacker sends a crafted .msc file with embedded ActiveX containing a link to a malicious server. The server executes a script to fetch a PowerShell file ultimately deploying an agent.
This module uses an authenticated PHP object deserialization vulnerability to deploy an agent in Roundcube Webmail that will run with the same privileges as the webapp. The module will use the given credentials to authenticate against Roundcube Webmail in the target. Then, it will generate a payload for agent deployment and abuse the _from parameter defined in the upload.php file to inject it in the $_SESSION variable. This variable will be processed by the unserialize function in the rcube_session class. Finally, the module will proceed to logout from the webapp to trigger the PHP object deserialization vulnerability and deploy the agent.
The Vite development server is vulnerable to arbitrary file read due to insufficient path validation when processing URL requests. This exploit sends a crafted URL request to the Vite development server, that includes the target filename combined with an specific parameter. If the server responds 200 OK, after that processes the server's Base64-encoded response through a decoding routine and displays the file contents. Optionally, the exploit can save the leaked file locally where the user defines it in the OUTPUT_PATH parameter.
This exploit leverages an information disclosure vulnerability in Microsoft Windows. By crafting a malicious .library-ms file, an attacker can coerce authentication to an untrusted server and steal NTLMv2 hashes. This exploit does not install an agent, it manages to obtain the NTLMv2 hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.
Subscribe to Exploits