There is a directory traversal flaw in the fileserver upload/download functionality used for blob messages in Apache ActiveMQ. The vulnerability allows writing files anywhere in the filesystem as long as the user running the process has permissions to do so. It also allows to copy local files to local or remote destinations, the later by means of abusing UNC paths. This module first uses the vulnerability to upload the credentials for the web administration application to a SMB server and parses the credentials. It then uploads a "Java Server Pages" file, which remains accessible only with appropriate credentials. It then uses the previously retrieved credentials to access the page and achieve remote code execution. The upload of content from the server is done using a MOVE HTTP verb against a REST service. Due to its semantics, the file retrieved is also deleted. This module uses the vulnerability to restore the web application passwords file once it's been retrieved. Because something might stop the process at this point, this module is marked as potentially leaving the service unavailable.

The EnableNetwork method in the org.blueman.Mechanism D-Bus service of Blueman, a Bluetooth Manager, receives untrusted Python code provided by unprivileged users and evaluates it as root. This can be leveraged by a local unprivileged attacker to gain root privileges.

This module exploits a vulnerability in win32k.sys by calling to SetParent function with crafted parameters.

This module exploits a vulnerability in Linux. The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

Microsoft Word is prone to a vulnerability that may allow execution of mqrt.dll.

The default Jenkins configuration allows to execute groovy scripts without being authenticated.

The 'sosreport' program, part of the ABRT bug reporting system used in Red Hat Enterprise Linux, does not handle symbolic links correctly when writing core dumps of ABRT programs to the ABRT dump directory (/var/tmp/abrt). This can be leveraged by local unprivileged attackers to gain root privileges on vulnerable systems.

This module exploits a remote code execution vulnerability in Joomla. The session handling code is susceptible to PHP Object Injection attacks due to lack of sanitization in some HTTP headers that are saved to the database session backend.

Windows Media Center MCL files can specify a URL to be automatically loaded within Media Center. A specially crafted MCL file can abuse this URL parameter in order to trick Windows Media Center into rendering the very same MCL file as a local HTML file within the application's embedded web browser. This way, attacker-controlled Javascript code can run in the context of embedded IE's Local Machine Zone with no security prompts, since Media Center does not opt-in for the Local Machine Zone Lockdown policy. This can be leveraged by an attacker to read and exfiltrate arbitrary files from a victim's local fileystem by convincing an unsuspecting user to open an MCL file. This module will try to steal a couple files that should be present on every vulnerable machine (the mshta.exe executable from the Windows\System32 folder and the WindowsUpdate.log file) in order to confirm the existence of the vulnerability. The module can be configured through the "Files to retrieve" parameters group to try to steal a predefined set of important user files from the Google Chrome and Mozilla Firefox web browsers (such as the Cookies, History, Preferences and Bookmarks files), and the Mozilla Thunderbird email client (address book, preferences, emails). However, note that web browser's History files and Thunderbird's email databases can be pretty big; in those cases, Windows Media Center can get stuck for minutes while trying to read those files. In order to steal Chrome/Firefox/Thunderbird files, the MCL file needs to infer the location of the %USERPROFILE% folder (typically something like C:\Users\JohnDoe) by inspecting its own current path. That means that stealing files from the %USERPROFILE% folder will only work if the MCL file is opened from a path under the %USERPROFILE% folder in the victim's machine, such as the Desktop, the "My Documents" folder, or the "Downloads" folder. The "Files to retrieve" parameters group also accepts a text file containing a custom list of files to be retrieved from the target system. Retrieved files will be saved to the folder specified in the OUTPUT FOLDER parameter. The module will create a separate folder for every compromised target.

The vulnerability is due to an error while parsing ThinApp compressed files which can result in an buffer overflow. This module runs a malicious web site on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site.