The code that handles the 'Range' HTTP header in the HTTP.sys driver in Microsoft Windows, which is used by Internet Information Services (IIS), is prone to an integer overflow vulnerability when processing a specially crafted HTTP request with a very long upper range. This integer overflow vulnerability can be leveraged to generate a memory disclosure condition, in which the HTTP.sys driver will return more data than it should from kernel memory, thus allowing remote unauthenticated attackers to obtain potentially sensitive information from the affected server. This module will check if the target machine is vulnerable and it will try to dump memory contents to the Module Log window. This memory dump may contain sensitive data, as explained above. The vulnerability affects systems in which IIS has kernel-mode caching enabled; note that this setting is enabled by default. Since this issue is tied to the kernel-mode caching feature, you must specify a static resource in the 'TARGET URL' parameter, such as a GIF/JPG/PNG/ZIP/HTML file. This module will not work if you run it against a dynamic resource like an ASP/ASPX page. This module works against both plain HTTP and HTTPS websites. This module supports both direct connection to the target machine and connection through an HTTP proxy. This can be configured in the Tools -> Options -> Network menu of Core Impact. When connecting to the target system through an HTTP proxy, the module will only work against HTTPS websites, since the specially crafted ranges in plain HTTP requests sent by this module are usually rewritten by popular proxy software like Squid. When the memory disclosure is successfully exploited, the output will typically include parts of the requested file and parts of leaked memory contents, the latter being usually at the end of the received data.
This module exploits a directory traversal vulnerability in the Document Conversions Launcher Service service included in the Microsoft Office SharePoint Server 2007 application by sending malformed packets. This module needs the hostname of the Document Conversions Launcher Service. In case the HOSTNAME parameter is left blank, this module first connects to the Document Conversions Load Balance Service to retrieve the hostnames of the registered Document Conversions Launcher Services.
Windows tcpip.sys is susceptible to a remote buffer overflow vulnerability. This module exploits the vulnerability and installs an agent on the target machine. This exploit is unreliable as depending on the activity on the target machines some will crash before an agent is installed. The module sends several thousands IP packets in the lapse of a few seconds. If the target doesn't receive most of the packets (due to network congestion or other causes), the exploit will fail. Only some specific kernel versions are supported by this module.
This module sends HTTP requests with specially crafted data making the ASP.NET subsystem consume lot of resources. This attack prevents the victim server from processing requests from legitimate clients and probably will make the server non-operational. The PATH parameter must point to a ASP.NET web page, wich they normally have a ".aspx" extension.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Mercury Mail Transport System. The vulnerability is caused due to a boundary error within Mercury/32 SMTP Server Module (mercurys.dll) when processing arguments to the AUTH CRAM-MD5 command. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the affected command.
This module allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing the Mercury Mail Transport System. The vulnerability is caused due to a boundary error within Mercury/32 PH Server Module (mercuryh.dll). This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the affected command. Authentication is not required to exploit this vulnerability.
This module allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing the Mercury Mail Transport System. The vulnerability is caused due to a boundary error within Mercury/32 IMAPD Server Module (mercuryi.dll). This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the affected command. Authentication is not required to exploit this vulnerability.
Subscribe to Remote