This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000 by using its BKHOdeq.exe service. The BKHOdeq.exe service, started when running the FCS / Test Function listens by default on TCP/20109, TCP/20171 and UDP/1240. By sending a specially crafted packet to the port TCP/20171 its possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.
This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000 by using its BKBCopyD.exe service. The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The BKBCopyD.exe service, started when running the FCS / Test Function, listens by default on TCP/20111. By sending a specially crafted packet to the port TCP/20111, it it is possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing XBMC. A boundary error within the websHomePageHandler() function can be exploited to cause a stack-based buffer overflow by sending a specially crafted GET HTTP request with an overly long path to the web server.
After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the user used to login into the ftp server (ftp, for example). However, the uid (as opposite to the euid) of the agent will be that of the super user in most cases (usually 0), and by using the setuid module (see setuid module documentation), it can be changed. When an anonymous user is used, or if the server is configured to do this for other users, the deployed agent will be running in a chroot jail. This situation does not prevent the agent to be used, and after setting the user id to that of the super user, the chroot breaker module (see chroot breaker module documentation) can be used to escape the chroot jail.
The internal stack may be overrun while handling either "XMD5", "XSHA1" or "XCRC" commands with an overly long filename. This condition can be exploited by attackers to ultimately execute instructions with the privileges of the WS_FTP process, typically administrator or system. Exploitation requires valid or anonymous FTP server credentials. The WS_FTP server will remain active after a successful exploitation.
This module exploits a vulnerability in W3 Total Cache plugin for Wordpress. Certain macros such as mfunc allow to inject PHP code into comments. By injecting a crafted comment into a valid post an attacker can execute arbitrary PHP code on systems running vulnerable installations of W3 Total Cache.
Subscribe to Exploits