This module exploits a buffer overflow vulnerability when parsing RPC requests through the LSA RPC interface in Samba 3.x. The exploit is triggered by sending a specially crafted RPC LsarLookupSids request to a vulnerable computer. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the samba server. However, the euid (as opposite to the uid) of the agent may be not that of the super user (usually is "nobody"), and by using the setuid module (see setuid module documentation), it can be changed to zero (root).
An anonymous user can gain remote root access due to a buffer overflow caused by a StrnCpy() into a char array (fname) using a non-constant length (namelen).
This module exploits a stack-based buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw.
The rpc.statd program passes user-supplied data to the syslog() function as a format string. If there is no input validation of this string, a malicious user can inject machine code to be executed with the privileges of the rpc.statd process, typically root. This is a ONE SHOT exploit. This exploit is able to attack a Redhat and a Suse system in a 'one shot' attack.
Ricoh DC's DL-10 SR10 FTP Server is prone to a buffer-overflow vulnerability when handling data through the USER command. This can be exploited by supplying a long string of data to the affected command. In order to trigger the vulnerability, the log file of the application must not be empty. The vulnerable version of SR10.exe file is 1.0.0.520
Subscribe to Remote