The specific flaw exists in the handling of LeviStudio Project files. By providing an overly long HmiSet Type XML attribute, an attacker can overflow a stack-based buffer and execute arbitrary code in the context of the current process. This module runs a malicious web server on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to it.
The vulnerability exists within the AxEditGrid ActiveX control's Insert property. This module runs a web server waiting for vulnerable clients (Internet Explorer 8) to connect to it.
Arbitrary Write in Rockwell Automation Connected Components Workbrench allows remote attackers to execute arbitrary code. This module runs a web server waiting for vulnerable clients (Internet Explorer 11) to connect to it.
When a special NBNS request is received by this module, it starts to answer to the client by flooding responses with the name specified by the "NAME TO BE SPOOFED" parameter and the IP address specified by the "NAME's IP TO BE SPOOFED" parameter. When three NBNS request packets are received from the target, this module answers the request by sending responses to the target during 'n' seconds (parameter "Flooding time per target connection"). After that, if an HTTP request asking for "/lala2.bmp" is received, it means the target was convinced to use the spoofed name sent during the attack. When it happens, this module confirms that the attack was successful.
The AccessArray function in the VBScript engine of Internet Explorer is prone to a redefinition attack. By accessing a VBScript array using a specially crafted object as the index, it is possible to resize the array in the middle of the AccessArray function, leaving the array in an inconsistent state, which can be abused by an attacker to execute arbitrary code on systems running vulnerable versions of Internet Explorer.
Internet Explorer is prone to a use-after-free vulnerability when trying to access the ArrayBuffer that was backing a Typed Array after it has been detached by transferring it to a Web Worker by calling the postMessage() function. This vulnerability can be abused by an attacker to execute arbitrary code on systems running vulnerable versions of Internet Explorer.
Acunetix Web Vulnerability Scanner 10.0 build 20160216 and previous versions, allows remote attackers to execute arbitrary JavaScript code in the context of the scanner GUI. The flaw exists in the way Acunetix WVS render some html elements inside it's GUI, using jscript.dll without any concert about unsafe ActiveX object such as WScript.shell. If Acunetix WVS triggers a vulnerability during a scan session, it saves a local html with the content of html page. With this, it's possible to trigger a fake vulnerability and inject a JavaScript code which triggers the remote command execution. This module also abuses of a second vulnerability affecting the Acunetix Web Vulnerability Scanner Scheduler. The Scheduler allows programmatically scanning of websites without any user interaction. It is possible to schedule a scan via the web interface listening on 127.0.0.1:8183. When a scan is scheduled, a new instance of Acunetix WVS is launched as SYSTEM. Previous to the real scan, several tests are performed on the target host using script files located in %ProgramData%\Acunetix WVS 10\Data\Scripts. Due to bad ACL's in this folder, any user can modify these scripts files. This module modifies the AJP_Audit.script file in order to execute an agent as SYSTEM.
Apache ActiveMQ unserializes objects received using the STOMP protocol with the XStream library. This leads to remote code execution due to unsafe deserialization. This module writes and executes an agent in vulnerable systems. Privileges obtained will be those of the user running the ActiveMQ server.
The specific flaw exists within the activate_doit function of the service. The issue lies in the handling of the Reprise License Menager server parameter which can result in overflowing a stack-based buffer.
This module exploits a remote code execution vulnerability in HP Data Protector by sending a specially crafted EXEC_BAR user name request. The 32-bit version of Data Protector is the only one exploitable, however, in 64-bit operating systems, the installer will always choose the 64-bit version of the software.