The /opt/cma/bin/clear_keys.pl Perl script in Sophos Web Protection Appliance, which can be executed by the 'spiderman' user with the sudo command without password, is prone to an OS command injection vulnerability, because its close_connections() function does not escape the second argument of the script before using it within a string that will be executed as a command by using backticks. This vulnerability can be abused to escalate privileges within the appliance from 'spiderman' to root.
The /opt/ws/bin/sblistpack Perl script in Sophos Web Protection Appliance, which can be reached from the web interface, is vulnerable to an OS command injection because its get_referers() function does not escape the first argument of the script before using it within a string that will be executed as a command by using backticks. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary code in the affected appliance. The agent installed by this exploit runs with the privileges of the 'spiderman' user. After successfully installing an agent, by default this module will automatically run another module (Sophos Web Protection Appliance clear_keys.pl Privilege Escalation Exploit), which will try to exploit a privilege escalation vulnerability that is also present in the Sophos appliance in order to install another agent with root permissions.
This module exploits a remote stack-based buffer overflow in pdmwService by sending a malformed packet to the 30000/TCP port.
This module exploits a vulnerability in the SolarWinds Storage Manager Server. The LoginServlet page available on port 9000 is vulnerable to SQL injection via the loginName field. An attacker can send a specially crafted username and execute arbitrary SQL commands leading to remote code execution.
This module exploits a buffer overflow on the DCE/RPC processing in the Snort 2.6.1.2 package. For this exploit to work, the DCE/RPC Preprocessor must be active on the configuration file, snort.conf. The agent will normally run as the "root" user.
This module exploits a remote buffer overflow in the SNMPc Network Manager by sending a specially crafted Trap packet with a long Community String to the UDP port 164 and installs an agent if successful.
There is a buffer overflow vulnerability in the Microsoft Windows Messenger service. This allows an attacker to execute arbitrary code with System privileges. The vulnerability is triggered by sending a malformed message to the vulnerable host. Manipulating the length of the packet allows portions of the heap memory to be overwritten with user defined data.
SlimFTPd server is prone to a stack buffer overflow when sending a LIST command with an overly-long argument. The attacker needs to be authenticated, so a successful login is required for the exploit to work.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing Simple Web Server. The vulnerability is caused due to a boundary error within Simple Web Server when processing HTTP GET Request. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the affected command. Authentication is not required to exploit this vulnerability.
This module exploits a remote stack-based buffer overflow in Siemens Tecnomatix FactoryLink by sending a malformed packet to CSService listening on port 7580.