HT-MP3Player contains a buffer prone to exploitation when handling .HT3 files, which can be exploited to cause a stack-based buffer overflow via a specially crafted .HT3 file. This module runs a malicious web server on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to it.

This module exploits a vulnerability in ContentMan.dll included in the HP Photo Creative application. The exploit is triggered when the CRecord() method processes a long string argument resulting in a stack-based buffer overflow. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module exploits a vulnerability in XUpload.ocx included in the HP LoadRunner application. The exploit is triggered when the AddFile() method processes a long string argument resulting in a stack-based buffer overflow. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

HP LoadRunner contains an overflow condition in the MicWebAjax ActiveX control. The issue is triggered as user-supplied input is not properly validated during the handling of a malformed website that calls the aforementioned ActiveX control. This may allow a context-dependent attacker to cause a buffer overflow and allowing the execution of arbitrary code. This module runs a web server waiting for vulnerable clients (Internet Explorer 6 and 7 ) in Windows XP to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

HP LoadRunner lrFileIOService has a vulnerability in the WriteFileString method, which allows the user to write arbitrary data and load arbitrary modules. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

HP LoadRunner lrFileIOService WriteFileBinary method accepts a parameter named data that it uses as a valid pointer. By specifying invalid values an attacker can force the application to jump to a controlled location in memory. This module runs a web server waiting for vulnerable clients (Internet Explorer 6,7 or 8) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

A type confusion vulnerability in XGO.ocx ActiveX control in HP Lifecycle Management in the method SetShapeNodeType allowing user-specified memory to be used as an object. This module runs a web server waiting for vulnerable clients (Internet Explorer 6 and 7 without Java installed, Internet Explorer 8 with Java 6 installed in Windows XP, and Internet Explorer 8 and 9 in Windows 7 with Java 6 installed) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module allows remote attackers to place arbitrary files on a users file system by abusing the "saveXML" method from the "XMLSimpleAccessor" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embedding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module allows remote attackers to place arbitrary files on a users file system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module allows remote attackers to place arbitrary files on a temporary file system by abusing the LaunchInstaller() function from HSCRemoteDeploy module. Code execution can be achieved by first embedding the payload in a VBS file, and then request a HTA file, which executes the crafted VBS who creates and EXE with the agent included. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.