Samsung Security Manager is prone to a privilege-escalation vulnerability that affects Apache Felix Gogo runtime. Due to an insecure default installation of the runtime, an attacker could then send commands that will be executed by the mentioned runtime. This module uses the previous vulnerability to inject an agent inside lsass.exe process.

This module exploits a vulnerability in Rivatuner's core (Rivatuner*.sys, RTCore*.sys), a driver used by hardware tweaking apps Rivatuner, MSI Afterburner, EVGA Precision X (and possibly others). During app operation, the driver is loaded and used to read and write physical memory, MSR registers, io ports, etc. This module abuses said functionality to escalate privileges.

This module exploits a race condition vulnerability in the Linux Kernel via MAP_PRIVATE COW. The bug relies in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

PowerFolder Server is prone to a remote vulnerability that allows attackers to take advantage of a deserialization vulnerability present in the commons-collections java library. By exploiting known methods, it is possible to remotely load a java class and inject custom Java bytecode. The exploit abuses this to download and execute an executable with Impact's agent.

The vulnerability resides in parsing crafted PowerPoint documents and produces a Buffer Overflow in the stack. This module was tested on the Symantec Endpoint Manager version 12.1.4013.4013. Other versions may be are vulnerable too.

SugarCRM is vulnerable due to a user input passed through a request parameter is not properly sanitized before being used in a call to the "unserialize()" function. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow unauthenticated attackers to execute arbitrary PHP code via specially crafted serialized objects. Successful exploitation of this vulnerability requires the application running on PHP before version 5.6.25 or 7.0.10. The attack will not leave any trace. This exploit installs an OS Agent.

Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. Combining this with log injection, remote code execution can be achieved.

Action Pack in Ruby on Rails allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

phpMyAdmin is prone to a regexp abuse via an eval modifier which can be found in old PHP versions. This vulnerability allows authenticated attackers to run arbitrary php code on the affected server. PHP versions 4.3.0-5.4.6 had a "feature" which allowed users to run a RegExp Pattern Modifier using PREG_REPLACE_EVAL and may lead to execute code. phpMyAdmin had an issue in their code that can be exploited from a table replace call. The general idea is to insert a crafted regexp eval record format, and then trigger it via a find and replace function with system commands For that purpose, the exploit will try to use any existing cookies of that host, or the username and password provided. Once logged in, if the user provided a database, it will be used. If not, we will search for existing databases. The attack will not leave any trace. This exploit installs an OS Agent.