Multiple MicroWorld eScan products are vulnerable to a remote command-execution vulnerability because they fail to properly sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary commands with superuser privileges. Successful attacks will completely compromise affected computers. The issue affects the following products versions prior to 4.1.x: eScan for Linux Desktop, eScan for Linux File Servers, MailScan for Linux Mail servers, WebScan for Linux Proxy Servers.
A memory corruption vulnerability in the ChkNtfSock function of wins.exe allows a privilege escalation.
A memory corruption vulnerability in the ChkNtfSock function of wins.exe allows remote code execution.
When the SMTP Client ( this module ) sends an email to "[email protected]", the SMTP Server tries to resolve the IP of "caronte.com" domain. In that moment, the SMTP Server sends a DNS request to the configured DNS Server. This module tries to send a response to the SMTP Server before the configured DNS Server does. As the vulnerable target doesn't check the DNS response "Transaction IDs", if a spoofed response is processed before that a real response the SMTP Server finishes sending an email to a SMTP Server indicated by the spoofed DNS response.
This module exploits a Windows kernel remote vulnerability on the srv.sys driver via a malformed SMB packet. It could allow an attacker to connect to a shared folder and send a specially crafted SMB message to an affected system exploiting the target and installing an agent.
This module exploits a vulnerability on srv2.sys via a SMB negociation packet.
This module exploits an impersonation vulnerability on "spoolsv.exe" ( Microsoft Windows Print Spooler ) by first sending a job to the shared printer which overwrites a DLL printer driver with an arbitrary one, and then another job which causes the shared printer to load it and install an agent on the target system.
This module exploits a buffer overflow vulnerability in the EnumeratePrintShares function in the Print Spooler Service in Microsoft Windows to install an agent in the target machine.
This module exploits a remote buffer overflow in the Microsoft Windows Media Services by sending a specially crafted packet to the 1755/TCP port.
The code that handles the 'Range' HTTP header in the HTTP.sys driver in Microsoft Windows, which is used by Internet Information Services (IIS), is prone to an integer overflow vulnerability when processing a specially crafted HTTP request with a very long upper range. This integer overflow vulnerability can be leveraged to generate a memory disclosure condition, in which the HTTP.sys driver will return more data than it should from kernel memory, thus allowing remote unauthenticated attackers to obtain potentially sensitive information from the affected server. This module will check if the target machine is vulnerable and it will try to dump memory contents to the Module Log window. This memory dump may contain sensitive data, as explained above. The vulnerability affects systems in which IIS has kernel-mode caching enabled; note that this setting is enabled by default. Since this issue is tied to the kernel-mode caching feature, you must specify a static resource in the 'TARGET URL' parameter, such as a GIF/JPG/PNG/ZIP/HTML file. This module will not work if you run it against a dynamic resource like an ASP/ASPX page. This module works against both plain HTTP and HTTPS websites. This module supports both direct connection to the target machine and connection through an HTTP proxy. This can be configured in the Tools -> Options -> Network menu of Core Impact. When connecting to the target system through an HTTP proxy, the module will only work against HTTPS websites, since the specially crafted ranges in plain HTTP requests sent by this module are usually rewritten by popular proxy software like Squid. When the memory disclosure is successfully exploited, the output will typically include parts of the requested file and parts of leaked memory contents, the latter being usually at the end of the received data.