The AccessArray function in the VBScript engine of Internet Explorer is prone to a redefinition attack. By accessing a VBScript array using a specially crafted object as the index, it is possible to resize the array in the middle of the AccessArray function, leaving the array in an inconsistent state, which can be abused by an attacker to execute arbitrary code on systems running vulnerable versions of Internet Explorer.
Internet Explorer is prone to a use-after-free vulnerability when trying to access the ArrayBuffer that was backing a Typed Array after it has been detached by transferring it to a Web Worker by calling the postMessage() function. This vulnerability can be abused by an attacker to execute arbitrary code on systems running vulnerable versions of Internet Explorer.
Acunetix Web Vulnerability Scanner 10.0 build 20160216 and previous versions, allows remote attackers to execute arbitrary JavaScript code in the context of the scanner GUI. The flaw exists in the way Acunetix WVS render some html elements inside it's GUI, using jscript.dll without any concert about unsafe ActiveX object such as WScript.shell. If Acunetix WVS triggers a vulnerability during a scan session, it saves a local html with the content of html page. With this, it's possible to trigger a fake vulnerability and inject a JavaScript code which triggers the remote command execution. This module also abuses of a second vulnerability affecting the Acunetix Web Vulnerability Scanner Scheduler. The Scheduler allows programmatically scanning of websites without any user interaction. It is possible to schedule a scan via the web interface listening on 127.0.0.1:8183. When a scan is scheduled, a new instance of Acunetix WVS is launched as SYSTEM. Previous to the real scan, several tests are performed on the target host using script files located in %ProgramData%\Acunetix WVS 10\Data\Scripts. Due to bad ACL's in this folder, any user can modify these scripts files. This module modifies the AJP_Audit.script file in order to execute an agent as SYSTEM.
The specific flaw exists within the activate_doit function of the service. The issue lies in the handling of the Reprise License Menager server parameter which can result in overflowing a stack-based buffer.
This module exploits a remote code execution vulnerability in HP Data Protector by sending a specially crafted EXEC_BAR user name request. The 32-bit version of Data Protector is the only one exploitable, however, in 64-bit operating systems, the installer will always choose the 64-bit version of the software.
DameWare Mini Remote Control Server is vulnerable to a stack based buffer overflow when handling specially crafted packets. Local attackers could use this vulnerability to escalate privileges.
This module exploits a user-after-free vulnerability in the Linux Kernel. When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free). This can be exploited to gain root privileges by an unprivileged user.
The Password Manager component installed by various Trend Micro products runs a Node.js HTTP server by default. This web server opens multiple HTTP RPC ports for handling API requests. For example, the openUrlInDefaultBrowser API function, which internally maps to a ShellExecute function call, allows and attacker to execute arbitrary commands on localhost without the need of any type of credentials. This module will wait for a vulnerable target to connect and deploy an agent by abusing the mentioned API functionallity provided by the vulnerable component.
Windows Media Center is prone to a vulnerability that may allow execution of a remote dll.
MSHTML.dll is prone to a vulnerability that may allow binary planting of crafted dlls if MSHTML.DLL of version 11.0.9600.18231 (from Internet explorer 11) is located in system32 in the target and using a crafted word document to trigger.