HP LoadRunner lrFileIOService has a vulnerability in the WriteFileString method, which allows the user to write arbitrary data and load arbitrary modules. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

HP LoadRunner lrFileIOService WriteFileBinary method accepts a parameter named data that it uses as a valid pointer. By specifying invalid values an attacker can force the application to jump to a controlled location in memory. This module runs a web server waiting for vulnerable clients (Internet Explorer 6,7 or 8) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

A type confusion vulnerability in XGO.ocx ActiveX control in HP Lifecycle Management in the method SetShapeNodeType allowing user-specified memory to be used as an object. This module runs a web server waiting for vulnerable clients (Internet Explorer 6 and 7 without Java installed, Internet Explorer 8 with Java 6 installed in Windows XP, and Internet Explorer 8 and 9 in Windows 7 with Java 6 installed) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module allows remote attackers to place arbitrary files on a users file system by abusing the "saveXML" method from the "XMLSimpleAccessor" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embedding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module allows remote attackers to place arbitrary files on a users file system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module allows remote attackers to place arbitrary files on a temporary file system by abusing the LaunchInstaller() function from HSCRemoteDeploy module. Code execution can be achieved by first embedding the payload in a VBS file, and then request a HTA file, which executes the crafted VBS who creates and EXE with the agent included. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module exploits a vulnerability in Honestech VHS to DVD Products. The vulnerability is caused due to boundary error in the processing of ilj files. This can be exploited to cause a stack-based buffer overflow when a specially crafted file is opened. This module runs a malicious web site on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site.

Help and Manual is prone to a vulnerability that may allow the execution of any library file named ijl15.dll, if this dll is located in the same folder than a .HMXP file. The attacker must entice a victim into opening a specially crafted .HMXP file. This file and the associated binary may be delivered to a user through remote WebDAV shares. An attacker may exploit this issue to execute arbitrary code.

GSM SIM Utility contains a buffer prone to exploitation via an overly long string. The vulnerability is caused due to a boundary error in GSM SIM Editor when handling misleading .sms files. When opening such files an error message is shown and then a buffer overflow occurs. This situation allows an attacker to overwrite an SEH Pointer and control the execution flow. This vulnerability can be exploited via a specially crafted .sms file. This module runs a malicious web server on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to it.

Google Sketchup fails to validate the input when parsing an crafted skp file with Pict texture, leading to an arbitrary stack offset overwrite and finally to an arbitrary code execution. This module runs a malicious web server on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to it.