The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
c2c9b14cdb1063f52d66445d57e8c716ba76df1d1393a1bdd2559d0ffd10e0bfThis Metasploit module bypasses basic authentication for Internet Information Services (IIS). By appending the NTFS stream name to the directory name in a request, it is possible to bypass authentication.
81c7985df2aff0d30d1f7d3ade0d49b345a4a07669ede4729c9660062ed8657dThis Metasploit module will use the Microsoft XMLDOM object to enumerate a remote machines filenames. It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you must supply your own list of file paths. Each file path should look like this: c:\\\\windows\\\\system32\\\\calc.exe.
c954ae2d29b081470b554c9f8c12ad7049c63dccc594927203b359634db62c4cThis Metasploit module chains an authentication bypass vulnerability with a deserialization vulnerability to obtain remote code execution against Telerik Report Server versions 10.0.24.130 and below. The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges. The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an OS command as NT AUTHORITY\SYSTEM. The module will automatically delete the created report but not the account because users are unable to delete themselves.
c8284cfa43ce5539a8a2a273491db985cf3ca1e11f9f79a70c88e33e5ddb8d98This Metasploit module exploits a vulnerability in the SmarterTools SmarterMail software for version numbers 16.x and below or for build numbers below 6985. The vulnerable versions and builds expose three .NET remoting endpoints on port 17001, namely /Servers, /Mail and /Spool. For example, a typical installation of SmarterMail Build 6970 will have the /Servers endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where serialized .NET commands can be sent through a TCP socket connection. The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability to perform .NET deserialization attacks, allowing remote code execution for any unauthenticated user under the context of the SYSTEM account. Successful exploitation results in full administrative control of the target server under the NT AUTHORITY\SYSTEM account. This vulnerability was patched in Build 6985, where the 17001 port is no longer publicly accessible, although it can be accessible locally at 127.0.0.1:17001. Hence, this would still allow for a privilege escalation vector if the server is compromised as a low-privileged user.
c00513d64b0afbcf82cfd8c3569e9b9bd32c506402e79960d11808c409ea5c44This Metasploit module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only supports Exchange Server 2019. These vulnerabilities were patched in November 2022.
52e94b2539eeb923ed6dfcf33bf21788d037db18208e166670e34916d20844ddMicrosoft SharePoint Server 2019 remote code execution exploit.
46e9d1239eeb594d08bb2032164a87b9a5b13bfc22da02cdddd6ca552f3b5850SmarterMail build version 6985 suffers from a remote code execution vulnerability.
03a34ec5b65f814667108d5769e315ba381562b01bceb44b9f6931123cc94443A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker to execute code within the context of the SharePoint application service. The privileges in this execution context are determined by the account that is specified when SharePoint is installed and configured. The vulnerability is related to a failure to validate the source of XML input data, leading to an unsafe deserialization operation that can be triggered from a page that initializes either the ContactLinksSuggestionsMicroView type or a derivative of it. In a default configuration, a Domain User account is sufficient to access SharePoint and exploit this vulnerability.
34f2633fdb04b0ab14dd5a0aedaf3e5d3b9e387d4d8619fbdd31dabb809602b6This Metasploit module exploits a vulnerability within SharePoint and its .NET backend that allows an attacker to execute commands using specially crafted XOML data sent to SharePoint via the Workflows functionality.
583c7dc9e2c88b3f3622ee79ae7bc09a2e63d8641d172496c3143a024bc22425A vulnerability exists within Microsoft's SQL Server Reporting Services which can allow an attacker to craft an HTTP POST request with a serialized object to achieve remote code execution. The vulnerability is due to the fact that the serialized blob is not signed by the server.
6a7a492f2dc70d4a79f4f4220d5e1a617458fbab09046134c7b6d7f120a2b5aaTechSmith Camtasia versions 7 and 8 suffer from a cross site scripting vulnerability.
0da3668d93c5d907fcfe6b8abc0ab9b5251abb5997b3d5d0d8042ce947378c29This Metasploit module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This Metasploit module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used.
138b5061095c157ac1ee1b8954ca08cb7b70e4dd78274f3ac703d12404ff91b1This Metasploit module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This Metasploit module has been tested successfully on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in November, 2013.
d0dbf161cbc3db6f711c5aade3b3b43f7a5e9f4d7399cf1ba132b40664e9a097Gleamtech FileVista / FileUltimate version 4.6 suffers from a directory traversal vulnerability.
109f5ca5f5be84fd82191d8a0fbff91cbb160e954b6e4083b398af37397fc8baFCKEditor version 2.6.8 ASP version suffers from a file upload protection bypass.
139ccad597b02f049b3b2b0129bd2dd23c86df34ebff98c04ada72b76409a1d8CK Finder version 2.3 and FCKEditor version 2.6.8 allow uploads of malicious swf files that can allow for cross site scripting attacks.
d82a591cc39f84f739a5883f7788b375ddde2f6568df00ff6cbe8a116ba4e460Microsoft IIS suffers from a short file/folder name disclosure vulnerability when handling tilde characters. The .NET framework may also suffer from a denial of service condition relating to the handling of tilde. Proof of concept scanner included.
ac7e17676655fc32991058e316c32da4c4a71a9100a0f1c88e9530581b4638c8Bugzilla Security Advisory - Bugzilla versions 3.5.3 to 3.6.8, 3.7.1 to 4.0.5, and 4.1.1 to 4.2 suffer from an authorized access vulnerability. Bugzilla versions 2.17.4 to 3.6.8, 3.7.1 to 4.0.5, and 4.1.1 to 4.2 suffer from a cross site scripting vulnerability.
cd5bcb16d9fc77f836d09c3e0255fb95fd2cfe29cc6147822f65c77d60475b15This is a proof of concept denial of service exploit for Adobe Reader / Acrobat 10.0.1.
f4707181a5488c9a9c04dd3216eef79a7d475b24d554758aac8d2f6d346f71c2Douran Portal version 3.9.7.8 suffers from a file download / source code disclosure vulnerability.
05de5c3083ad1234fda02cbcc818d3263aeb88c4dea387ee5fc84d20f85ef3f7IIS 5 suffers from an authentication bypass vulnerability.
37ea748726abfdcf90c5f620168c130aaee2fc345aa57be4c08c7f6c6dc47a6aWhitepaper called Cross Site URL Hijacking by using Error Object in Mozilla Firefox.
993115eaca328415779f0ad41ec21241e1acdc72bd095710c3cc2939a0d118f5Whitepaper called Improve File Uploaders' Protections. It focuses on Windows-based web applications.
803f2abcacda9201f41388593ce11f07255874a6d23932ff67d843faf023b0feWhitepaper called Finding vulnerabilities in YaFtp version 1.0.14.
df7b6114136d60935a464739865eac6e7866ddee528d58b47d356fb5c6881b15
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed