The specific flaw exists within the activate_doit function of the service. The issue lies in the handling of the Reprise License Menager server parameter which can result in overflowing a stack-based buffer.
This module exploits a remote code execution vulnerability in HP Data Protector by sending a specially crafted EXEC_BAR user name request. The 32-bit version of Data Protector is the only one exploitable, however, in 64-bit operating systems, the installer will always choose the 64-bit version of the software.
The DefaultActionMapper class in Apache Struts 2 supports a Dynamic Method Invocation feature via the "method:" prefix. The information contained in this prefix is not properly sanitized before being evaluated as OGNL expressions on the server side, which allows remote attackers to execute arbitrary Java code on the server. This module exploits the vulnerability in any web application built on top of vulnerable versions of the Apache Struts 2 framework with the "struts.enable.DynamicMethodInvocation" configuration parameter in struts.xml set to True.
DameWare Mini Remote Control Server is vulnerable to a stack based buffer overflow when handling specially crafted packets. Local attackers could use this vulnerability to escalate privileges.
The Password Manager component installed by various Trend Micro products runs a Node.js HTTP server by default. This web server opens multiple HTTP RPC ports for handling API requests. For example, the openUrlInDefaultBrowser API function, which internally maps to a ShellExecute function call, allows and attacker to execute arbitrary commands on localhost without the need of any type of credentials. This module will wait for a vulnerable target to connect and deploy an agent by abusing the mentioned API functionallity provided by the vulnerable component.
Windows Media Center is prone to a vulnerability that may allow execution of a remote dll.
MSHTML.dll is prone to a vulnerability that may allow binary planting of crafted dlls if MSHTML.DLL of version 11.0.9600.18231 (from Internet explorer 11) is located in system32 in the target and using a crafted word document to trigger.
The default error page in Spring Boot (also know as "Whitelabel Error Page"), when a type error is detected in a parameter configured in a controller, will display the provided value. The page's rendering expands Spring Expression Language (SPEL) expressions found in the page, and it does so recursively. Because of this, a string containing an expression language provided as the value for an URL parameter may be evaluated server side while rendering the page if it's from a different type to the expected for said parameter. The "Whitelabel Error Page" is provided by default, but it can be customized. This attack has only been tested with the default error page. In particular, if SPEL is not used a the templating language for another page, or if the page doesn't print the exception due to type mismatch, the attack is not possible.
This module exploits an arbitrary file upload vulnerability in Advantech WebAccess. The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within the FileUpload script allows unauthenticated callers to upload arbitrary code to directories in the server where the code can be automatically executed under the high-privilege context of the IIS AppPool. Authentication is not required to exploit this vulnerability.
This module exploits a "win32k.sys" integer overflow in Windows kernel by calling to "PathToRegion" function with crafted parameters.