An insufficient input validation leading to memory overread in Citrix NetScaler ADC and Citrix NetScaler Gateway when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server may allow unauthenticated remote attackers to exfiltrate cookies, session IDs, or passwords from the target application. The vulnerability is reached via the /p/u/doAuthentication.do endpoint. This module will attempt to trigger the vulnerability to determine if the target system is vulnerable.

This exploit uses a format stack buffer overflow located in the rlprd ns_aaa_gwtest_get_event_and_target_names() function to install an agent. The deployed agent will run with root user privileges.

This module exploits a vulnerability in FreeBSD. The sendmsg system call in the compat32 subsystem on 64-bit platforms has a time-of-check to time-of-use vulnerability allowing a mailcious userspace program to modify control message headers after they were validation.

Citrix Application Delivery Controller (ADC) and Gateway are prone to a directory traversal vulnerability that allows attackers to upload an XML file via newbm.pl and execute system commands.

This module exploits a vulnerability in FreeBSD. A bug in the cdrom driver allows users with read access to the cdrom device to arbitrarily overwrite kernel memory when media is present thereby allowing a malicious user in the operator group to gain root privileges.

This module exploits a post authentication vulnerability in pfSense by abusing the system_groupmanager.php page which allows users to get Code Execution.

The ioctl handler in the atkbd keyboard driver in FreeBSD is prone to a signedness error, which can lead to a buffer overflow in the kernel when processing a SETFKEY ioctl message with specially crafted values. This vulnerability can be exploited by a local unprivileged attacker to gain root privileges. In order to reach the vulnerable code in the keyboard driver, the exploit needs a virtual terminal (/dev/ttyv*) allocated for the user under which the initial agent is running. Virtual terminals are allocated when a user logs into the physical machine, as opposed to the pseudo-terminals (/dev/pts/*) which are allocated when accessing a system via a SSH shell, for example. This module can be configured to keep waiting for an accessible virtual terminal, by setting the Advanced/TIME LIMIT parameter to the desired maximum amount of minutes to wait for.

The amd64_set_ldt() function in sys/amd64/amd64/sys_machdep.c in the FreeBSD kernel code is prone to an integer signedness error when processing a system call with specially crafted parameters originated from user space. This issue ultimately leads to a kernel heap overflow, which can be used by unprivileged local attackers to cause a kernel panic and crash the machine.

Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via the start_date parameter.

Buffer overflow in libtelnet/encrypt.c in Inetutils and Heimdal implementations of telnetd allows remote attackers to execute arbitrary code with root permissions via a long encryption key.