This module exploits the random number generator in Debian's OpenSSL package being predictable. This vulnerability is used to generate SSH keys and to install an agent into the target host. The exploit will generate the complete vulnerable keyspace, and will try to log as the provided user. If the user is root, the agent will have superuser capabilities.
When the option imapmagicplus is activated on a Cyrus IMAP server the PROXY and LOGIN commands suffer a standard stack overflow, because the username is not checked against a maximum length when it is copied into a temporary stack buffer. This bug is exploited by this module to install an agent. Cyrus 2.2.8 and prior are vulnerable.
CVS is prone to a remote heap overflow vulnerability during the handling of user-supplied input for entry lines with 'modified' and 'unchanged' flags.
By sending a malformed 'Directory' request it is possible to create a condition where free() is called on memory that is still in use. This can result in an exploitable condition when free() is called on the memory chunk a second time.
preg_replace using eval switch vulnerability in html2text library, allows remote attackers to execute arbitrary code.
The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.
This module exploits a nameserver vulnerability that occurs when processing a maliciously crafted T_NXT resource record received in a DNS reply message. After successful exploitation, an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the user used to run the bind daemon. However, the uid (as opposite to the euid) of the agent will be that of the super user in most cases (usually '0'). Note that the deployed might be running in a chroot jail. This situation doesn't prevent the agent to be used, and after setting the user id to that of the super user, the chroot breaker module (see "chroot breaker" module documentation) can be used to escape the chroot jail.
ColdFusion admin console is vulnerable to multiple directory traversal attacks related to locale parameter, allowing the attacker to upload an agent and execute it. The agent may have SYSTEM privileges if ColdFusion is installed as a service in Windows.
The /CFIDE/adminapi/customtags/l10n.cfm page in Adobe ColdFusion is prone to a Local File Inclusion vulnerability because it does not properly validate its attributes.file parameter. This can be abused by a remote unauthenticated attacker to execute arbitrary code on vulnerable servers. The agent may have SYSTEM privileges if ColdFusion is installed as a service on Windows.
X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile.