This module exploits a buffer overflow vulnerability in the LDAP service (sidvault.exe) of the SIDVault LDAP application. The exploit triggers a stack-based buffer overflow by sending a specially crafted packet to port 389/TCP of the vulnerable system and installs an agent if successful.
This module exploits a buffer overflow vulnerability when parsing RPC requests through the LSA RPC interface in Samba 3.x. The exploit is triggered by sending a specially crafted RPC LsarLookupSids request to a vulnerable computer. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the samba server. However, the euid (as opposite to the uid) of the agent may be not that of the super user (usually is "nobody"), and by using the setuid module (see setuid module documentation), it can be changed to zero (root).
An anonymous user can gain remote root access due to a buffer overflow caused by a StrnCpy() into a char array (fname) using a non-constant length (namelen).
The rpc.statd program passes user-supplied data to the syslog() function as a format string. If there is no input validation of this string, a malicious user can inject machine code to be executed with the privileges of the rpc.statd process, typically root. This is a ONE SHOT exploit. This exploit is able to attack a Redhat and a Suse system in a 'one shot' attack.
This module exploits an array overflow vulnerability in RealServers and Helix Servers 8.0 and higher. The bug is present in the code for accessing RealServer's registry (or configuration options), in the constructor for the class ServRegKey (at least in the open source version of Helix Server). The bug occurs when a string is splitted in several substrings, using '.' as separator. A pointer to each substring is added to an array with space to hold only 1024 pointers, thus, if a string with more than 1024 dots is fed to this function, the array will be overflown, and, in our case, the return address will be overwritten with a pointer to one of the substrings. There may be several ways of reaching this vulnerable code, however we are using the publicly known way to reach it: using the View Source plugging. Once a request is issued for an URL ending in ".smi" the View Source plugging is used, it then calls the registry routine to check the configuration of the request URL, and in doing so, it feeds the vulnerable function with user's supplied string. Older versions (for example RealServer 7.0) are vulnerable, but not exploitable with this same technique (if they are exploitable at all), as the buffer where the pointers are stored is dynamically allocated in the heap. After successful exploitation an agent will be installed.
Subscribe to Linux