This module exploits a vulnerability in the ISSymbol.ocx control included in the InduSoft Web Studio ActiveX application. The exploit is triggered when the OpenScreen() method processes a long string argument resulting in a stack-based buffer overflow. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it.

This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by sending a specially crafted HTML page which exploits the Incredimail IMMenuShellExt ActiveX control vulnerability.

ImgBurn is prone to a vulnerability that may allow execution of dwmapi.dll if this dll is located in the same folder as a .CUE file. The attacker must entice a victim into opening a specially crafted .CUE file. This file and the associated binary may be delivered to a user through remote WebDAV shares. An attacker may exploit this issue to execute arbitrary code.

This module exploits a vulnerability in the ImageViewer2.ocx module included in the Viscom Image Viewer application. The exploit is triggered when the TifMergeMultiFiles() method processes a malformed argument resulting in a memory corruption. This module runs a malicious web site on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site. This module runs a web server waiting for vulnerable clients (Internet Explorer 6 or 7) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module exploits a vulnerability in the ImageViewer2.ocx module included in the Viscom Image Viewer application. The exploit is triggered when the Image2PDF() method processes a malformed argument resulting in a memory corruption. This module runs a malicious web site on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site. This module runs a web server waiting for vulnerable clients (Internet Explorer 6 or 7) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module exploits a buffer overflow vulnerability in the Image22 ActiveX Control. The exploit is triggered when the DrawIcon() method processes a long string argument resulting in a stack-based buffer overflow. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module exploits a vulnerability in Microsoft XML Core Services. This flaw is due to a memory corruption error in the XMLHTTP ActiveX Control when processing specially crafted arguments passed to a "setRequestHeader()" method, which is used to install an agent in the target host. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

The module starts a HTTP server in the source agent, when the victim system tries to retrieve any file, it sends a malicious HTML page that installs an agent in the victim's machine, bypassing sandbox restrictions. Taking into account the nature of this exploit, exploitation reliability depends on the browser configuration (scripting has to be enabled, by default is enabled) and other factors such as system load. This exploit needs to open some windows in the target client system, so the exploitation attempt may be noticed by a trained user. If an agent is installed, it will remain persistent and must be removed manually.

This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by instancing TLBINF32.DLL (sometimes installed as VSTLBINF.DLL) with a malicious DLL (IMPActiveX.ocx) as parameter. IMPActiveX.ocx has a helpstringdll property pointing to itself, and implements DLLGetDocumentation to install an agent.

This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by triggering a race condition in the way IE handles the call to Window function inside a javascript Onload event. When Outlook Express is used as mail user agent, Internet Explorer can be exploited through sending the target an e-mail that contains a link to the specially designed HTML page that triggers the attack. This exploit relies in a vulnerability that allows attackers to cause Internet Explorer to execute arbitrary code via a Javascript Onload event that calls the window() function.