This module exploits the following vulnerability, as described by the CVE database: "Format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled, allows remote attackers to [...] execute arbitrary code via format string specifiers in the username parameter to the login form, which is ultimately used in a syslog call." The most common TCP ports used by vulnerable programs are 10000 for Webmin and 20000 for Usermin. This module will run 2 different phases: the first phase will bruteforce a return address location (retloc) and the second phase will bruteforce the address of the agent code (retaddr). NOTE: The first phase might create zombie processes that should be killed once the agent has been installed. The second phase might generate a few megabytes of traffic.
Multiple MicroWorld eScan products are vulnerable to a remote command-execution vulnerability because they fail to properly sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary commands with superuser privileges. Successful attacks will completely compromise affected computers. The issue affects the following products versions prior to 4.1.x: eScan for Linux Desktop, eScan for Linux File Servers, MailScan for Linux Mail servers, WebScan for Linux Proxy Servers.
LPRng contains a function, use_syslog(), that returns user input to a string in LPRng that is passed to syslog() as the format string. As a result, it is possible to corrupt the program's flow of execution by entering malicious format specifiers.
This module exploits a header overflow vulnerability in lighttpd when using fast_cgi module in lighttpd before version 1.4.18. The vulnerability allows to modify PHP headers. This module modifies the SCRIPT_FILENAME PHP header to run arbitrary files in the PHP interpreter. This module will send a request to the server with a HTTP Referer header with PHP code that is written on the log file by the lighttpd server. Then the module searches for the lighttpd log file in the web server using the vulnerability. Then the module executes the lighttpd log file as a PHP script using the vulnerability, and installs a new agent in the server.
An input sanitization flaw exists in the way JBoss Seam processes certain parameterized JBoss Expression Language (EL) expressions. A remote unauthenticated attacker could use this flaw to execute arbitrary code via GET requests, containing specially-crafted expression language parameters, provided to web applications based on the JBoss Seam Framework. This module exploits the vulnerability in any web application based on vulnerable versions of the Seam 2 Framework.
A directory traversal vulnerability in the DeploymentFileRepository class in JBoss Application Server allows remote attackers who are able to access the console manager to create files on arbitrary locations of the filesystem. This can be abused to gain execution of arbitrary code by sending special HTTP requests to the JMX Console. This module uploads an arbitrary .JSP file to the target in order to deploy an agent on it.
Subscribe to Linux