This module exploits a command injection vulnerability in HP Client Automation. The flaw exists within the radexecd.exe component which listens by default on TCP port 3465. When handling a remote execution request the process does not properly authenticate the user issuing the request. The command to be executed is also not properly sanitized. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of SYSTEM. Authentication is not required to exploit this vulnerability.
Elasticsearch allows limited execution of Groovy code during search operations. A vulnerability exists in versions below 1.4.3, by which a sandbox escape is possible. This module installs an OS agent against vulnerable installations.
This module exploit three different vulnerabilities in Symantec Endpoint Protection Manager (SEPM) in order to install an agent on a vunlerable target machine. CVE-2015-1486 allows unauthenticated attackers access to SEPM. CVE-2015-1487 allows reading and writing arbitrary files, resulting in the execution of arbitrary commands with 'NT Service\semsrv' privileges. CVE-2015-1489 allows the execution of arbitrary OS commands with 'NT Authority\SYSTEM' privileges.
This module exploits an integer overflow in "srvnet.sys" Windows driver by sending a crafted "Session Setup Request" SMBv2 packet to the Windows SMB Server logging mechanism.
Solarwinds FSM is vulnerable to an authentication bypass in userlogin.jsp that allows attacker to upload an agent via a weekness in the username atribute in settings-new.jsp allowing us to install an agent.
This module exploits a buffer overflow vulnerability in the FastBack server service (FastBackServer.exe) of the IBM Tivoli Storage Manager. The exploit triggers a stack-based buffer overflow by sending a pre-authentication specially crafted packet to port 11460/TCP of the vulnerable system and installs an agent if successful.
Usermin is vulnerable to an arbitrary command execution in the email signature configuration due to a lack of sanitization on the signature file parameter.
This module exploits an assertion failure vulnerability in BIND 9 servers to cause a denial of service.
When a Windows computer is joined to any domain, usually, the "gpt.ini" file is downloaded by this from the Domain Controller server. If this file has a new number version, it means that there are new policies to download. When new policies are present, the client downloads the 'gpttmpl.inf' file and applies the policies contained by this. Using a "Man In The Middle" attack, this module intercepts the communication explained before and installs an agent running as 'system' user.
Zimbra is vulnerable to a Local File Inclusion vulnerability that allows attacker to get LDAP credentials which we may use for upload a JSP file allowing us to install an agent.