After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the user used to login into the ftp server (ftp, for example). However, the uid (as opposite to the euid) of the agent will be that of the super user in most cases (usually 0), and by using the setuid module (see setuid module documentation), it can be changed. When an anonymous user is used, or if the server is configured to do this for other users, the deployed agent will be running in a chroot jail. This situation does not prevent the agent to be used, and after setting the user id to that of the super user, the chroot breaker module (see chroot breaker module documentation) can be used to escape the chroot jail.
This module exploits a vulnerability in W3 Total Cache plugin for Wordpress. Certain macros such as mfunc allow to inject PHP code into comments. By injecting a crafted comment into a valid post an attacker can execute arbitrary PHP code on systems running vulnerable installations of W3 Total Cache.
Insufficient sanitization in WebCalendar's /includes/settings.php lead to remote dcode execution.
NetBackup Java user-interface is affected by a remote format string vulnerability. An attacker can exploit this vulnerability by crafting a malicious request that contains format specifiers. A successful attack may result in crashing the server or lead to arbitrary code execution. This may facilitate unauthorized access or privilege escalation with SYSTEM or superuser privileges.
This module exploits a remote command execution vulnerability found in some distributions of UnrealIRCd that contain a backdoor and installs an agent into the target host. The backdoor is present on the file Unreal3.2.8.1.tar.gz that was maliciously replaced on certain mirrors. The vulnerable file has the following MD5 checksum: 752e46f2d873c1679fa99de3f52a274d.
Local File Inclusion vulnerability in admin/index.php in TinyWebGallery 1.7.6 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include local files via the lang parameter, which leads to execute arbitrary PHP code by injecting data into the log files.
Buffer overflow in libtelnet/encrypt.c in Inetutils and Heimdal implementations of telnetd allows remote attackers to execute arbitrary code with root permissions via a long encryption key.
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords.
This module exploits a command injection error in the function runScripts in vdccm (SynCE daemon), reached through a information message remote request. For this exploit to work, there must be at least one script file on the SynCE scripts directory.
This module exploits a remote code execution vulnerability in Symantec Web Gateway by using a log injection and a local file inclusion to run an arbitrary PHP script.