This Metasploit module can be used to execute a payload on MoveableType (MT) that exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), that is used during installation and updating of the platform. This allows for code injection.
9f1569dcdb5b14c9f7ccc437f947a2040582d389fc39d6d3e38a34b0a7f83d25
This Metasploit module abuses a command execution vulnerability within the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists within the 'mappy' search command which allows to run python code. To exploit this vulnerability a valid Splunk user with the admin role is required. Unfortunately, Splunk uses a default credential of 'admin:changeme' for admin access, which is used to leverage our attack. The Splunk Web interface runs as SYSTEM on Windows and as root on Linux by default.
4cec15e9c8252677e5cd1bb453f1bd43e0c2eb409d8162a5ce458bb290116509
Sec-1 Labs performed a product security analysis of Splunk and discovered remote command execution as a privileged user, a directory traversal vulnerability, failure to protect itself from brute force attacks and information disclosure issues. Versions 4.2.2, 4.2.3 and 4.2.4 were tested. This archive contains an advisory and an exploit.
9cc7b90d467527ef440024994f447af75a7361359080cde790f375729dc79e38
Ruby Script to generate URL encoded Unicode UTF-8 URL.
3716b2b24def26545bf37991157e555c96d9f13dc08744a8b8168ccd6d3bd237
The MailMarshal Spam Quarantine version 6.2.0.x HTTP interface password reset facility is vulnerable to a SQL buffer truncation attack. The vulnerability could be exploited to reset and retrieve any user account. The attacker would require prior knowledge of the users email address.
413e168c92dfcc339ecd500754b6e240ebd1b59e709f687e96ac02bb9c73e549
Paper called Buffer Truncation Abuse in Microsoft SQL Server Based Applications. This paper is designed to document an attack technique Sec-1 recently adopted during the course of their application assessments.
0dc61a947fb649824bb61b36cc116d9966deabfa346db9f73a35a69ce0e03ecf
The Automagic SQL Injector is part of the Sec-1 Exploit Arsenal provided as part of the Applied Hacking & Intrusion Prevention training courses. In a nutshell it's an automated SQL injection tool designed to help save time on pen tests. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned.
10f67d639127d49c2a17f2bd7836c65a6de0e65c95f62f7cba4c1eabba63e69d
Sec-1 has identified an exploitable buffer overflow within Collaboration Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when event sinks are used within Microsoft Exchange 2000 or Microsoft Mail services to parse e-mail content. Several Content Security packages were identified to be vulnerable/exploitable.
9f4f941c51cdd9e0d26f660aabaaad96258464fb7cea45f0278841f2584003a0
Sec-1 has identified an exploitable Buffer Overflow within the HTTP management interface of GFI MailSecurity 8.1. By sending large strings within several areas of the HTTP request (such as a large 'Host' or 'Accept' header) critical portions of memory are overwritten. Verification of this vulnerability can be achieved through the use of a HTTP fuzzer, such as @stake webproxy. Successful exploitation could allow an attacker to gain administrative control of the targeted host.
4300d283bb084186da283e56ddae0e40446b1e8a04f555832a86566d3489b5db
Sec-1 has identified an exploitable Buffer Overflow within Collaboration Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when event sinks are used within Microsoft Exchange 2000 or Microsoft Mail services to parse e-mail content. Several Content Security packages were identified to be vulnerable/exploitable.
26ed9986f1acd0482d2a4dccf8225ecf63c139f2483c559189427de3f59962e6
The RSA SecurID Web Agent suffers from a heap overflows. Versions 5, 5.2, and 5.3 are affected.
e010b40af665d69382ab4aebc8c25938d3ad8941470fa0cf633f41bb5fe578ef
Cain and Abel PSK sniffer version 2.65 is susceptible to a heap overflow that allows for arbitrary code execution.
bd34e21df4190627608dceac0bc6fb975ca0ca3a606a471084d205aecfedffde
Exploit code for Winhlp32.exe remote buffer overflow vulnerability. Calls WinExec SW_HIDE and executes supplied command. Tested against Windows 2000 Professional SP2. Written for Kernel32.dll version 5.0.2195.2778.
adce750ea8ea7636a6d8425b52fcab60b5dd38ae71c75e61d280d5b11e225141
Exploit code for Winhlp32.exe remote buffer overflow vulnerability. Calls WinExec SW_HIDE and executes supplied command. Tested against Windows 2000 Professional SP2. Written for Kernel32.dll version 5.0.2195.4272.
d51b5844b984733f335e621404e81da9ba3972f55afab24141b4eeba7aef7f17