Metasploit modules that can be used to exploit IBM products
-
IBM Lotus Sametime Version Enumeration
Disclosure Date: 2013-12-27First seen: 2020-04-26auxiliary/gather/ibm_sametime_versionThis module scans an IBM Lotus Sametime web interface to enumerate the application's version and configuration information. Authors: - kicks4kittens -
IBM Lotus Notes Sametime Room Name Bruteforce
Disclosure Date: 2013-12-27First seen: 2020-04-26auxiliary/gather/ibm_sametime_room_bruteThis module bruteforces Sametime meeting room names via the IBM Lotus Notes Sametime web interface. Authors: - kicks4kittens -
IBM Lotus Notes Sametime User Enumeration
Disclosure Date: 2013-12-27First seen: 2020-04-26auxiliary/gather/ibm_sametime_enumerate_usersThis module extracts usernames using the IBM Lotus Notes Sametime web interface using either a dictionary attack (which is preferred), or a bruteforce attack trying all usernames of MAXDEPTH length or less. Authors: - kicks4kittens -
IBM Forms Viewer Unicode Buffer Overflow
Disclosure Date: 2013-12-05First seen: 2020-04-26exploit/windows/fileformat/ibm_forms_viewer_fontnameThis module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability is due to a dangerous usage of a strcpy-like function, and occurs while parsing malformed XFDL files containing a long fontname value. This module has been tested successfully on IBM Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1. Authors: - rgod <rgod@autistici.org> - juan vazquez <juan.vazquez@metasploit.com> -
IBM Lotus Sametime WebPlayer DoS
Disclosure Date: 2013-11-07First seen: 2020-04-26auxiliary/dos/misc/ibm_sametime_webplayer_dosThis module exploits a known flaw in the IBM Lotus Sametime WebPlayer version 8.5.2.1392 (and prior) to cause a denial of service condition against specific users. For this module to function the target user must be actively logged into the IBM Lotus Sametime server and have the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a browser extension. The user should have the WebPlayer plug-in active (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly. Authors: - Chris John Riley - kicks4kittens -
ibstat $PATH Privilege Escalation
Disclosure Date: 2013-09-24First seen: 2020-04-26exploit/aix/local/ibstat_pathThis module exploits the trusted $PATH environment variable of the SUID binary "ibstat". Authors: - Kristian Erik Hermansen - Sagi Shahar <sagi.shahar@mwrinfosecurity.com> - Kostas Lintovois <kostas.lintovois@mwrinfosecurity.com> -
IBM SPSS SamplePower C1Tab ActiveX Heap Overflow
Disclosure Date: 2013-04-26First seen: 2020-04-26exploit/windows/browser/ibm_spss_c1sizerThis module exploits a heap based buffer overflow in the C1Tab ActiveX control, while handling the TabCaption property. The affected control can be found in the c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1. Authors: - Alexander Gavrun - juan vazquez <juan.vazquez@metasploit.com> -
IBM Lotus Notes Client URL Handler Command Injection
Disclosure Date: 2012-06-18First seen: 2020-04-26exploit/windows/browser/notes_handler_cmdinjectThis module exploits a command injection vulnerability in the URL handler for for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with a specially crafted notes:// URL to execute arbitrary commands with also arbitrary arguments. This module has been tested successfully on Windows XP SP3 with IE8, Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2. Authors: - Moritz Jodeit - Sean de Regge - juan vazquez <juan.vazquez@metasploit.com> -
IBM Lotus iNotes dwa85W ActiveX Buffer Overflow
Disclosure Date: 2012-06-01First seen: 2020-04-26exploit/windows/browser/inotes_dwa85w_bofThis module exploits a buffer overflow vulnerability on the UploadControl ActiveX. The vulnerability exists in the handling of the "Attachment_Times" property, due to the insecure usage of the _swscanf. The affected ActiveX is provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer. This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3. In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one is installed with the iNotes ActiveX. Authors: - Gaurav Baruah - juan vazquez <juan.vazquez@metasploit.com> -
IBM Lotus QuickR qp2 ActiveX Buffer Overflow
Disclosure Date: 2012-05-23First seen: 2020-04-26exploit/windows/browser/quickr_qp2_bofThis module exploits a buffer overflow vulnerability on the UploadControl ActiveX. The vulnerability exists in the handling of the "Attachment_Times" property, due to the insecure usage of the _swscanf. The affected ActiveX is provided by the qp2.dll installed with the IBM Lotus Quickr product. This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the qp2.dll 8.1.0.1800. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with the qp2 ActiveX. Authors: - Gaurav Baruah - juan vazquez <juan.vazquez@metasploit.com> -
IBM Rational ClearQuest CQOle Remote Code Execution
Disclosure Date: 2012-05-19First seen: 2020-04-26exploit/windows/browser/clear_quest_cqoleThis module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest < 7.1.1.9, < 7.1.2.6 or < 8.0.0.2 which allows reliable remote code execution when DEP isn't enabled. Authors: - Andrea Micalizzi aka rgod - juan vazquez <juan.vazquez@metasploit.com> -
IBM Cognos tm1admsd.exe Overflow
Disclosure Date: 2012-04-02First seen: 2020-04-26exploit/windows/misc/ibm_cognos_tm1admsd_bofThis module exploits a stack buffer overflow in IBM Cognos Analytic Server Admin service. The vulnerability exists in the tm1admsd.exe component, due to a dangerous copy of user controlled data to the stack, via memcpy, without validating the supplied length and data. The module has been tested successfully on IBM Cognos Express 9.5 over Windows XP SP3. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> -
IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploa
Disclosure Date: 2012-03-01First seen: 2020-04-26exploit/windows/browser/ibm_tivoli_pme_activex_bofThis module exploits a buffer overflow vulnerability in the Isig.isigCtl.1 ActiveX installed with IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1. The vulnerability is found in the "RunAndUploadFile" method where the "OtherFields" parameter with user controlled data is used to build a "Content-Disposition" header and attach contents in an insecure way which allows to overflow a buffer in the stack. Authors: - Andrea Micalizzi aka rgod - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com> -
IBM Personal Communications iSeries Access WorkStation 5.9 Profile
Disclosure Date: 2012-02-28First seen: 2020-04-26exploit/windows/fileformat/ibm_pcm_wsThe IBM Personal Communications I-Series application WorkStation is susceptible to a stack-based buffer overflow vulnerability within file parsing in which data copied to a location in memory exceeds the size of the reserved destination area. The buffer is located on the runtime program stack. When the WorkStation file is opened it will reach the code path at 0x67575180 located in pcspref.dll which conducts string manipulation and validation on the data supplied in the WorkStation file. The application will first check if 'Profile' header exists and appends a dot with the next parameter within the file. It will then measure the character length of the header by calling strcspn with a dot as its null-terminated character. It will then write the header into memory and ensure the header ends with a NUL character. The parameter character array is passed to the strcpy() function. The application has declared a 52-element character array for the destination for strcpy function. The function does not perform bounds checking therefore, data can be written paste the end of the buffer variable resulting in corruption of adjacent variables including other local variables, program state information and function arguments. You will notice that the saved RETURN address at offset 0x6c is overwritten by the data written past the buffer. To ensure we can perform arbitrary code execution we must we provide a valid pointer at 0x74 which is used as an argument for the called function at 0x675751ED as an id file extension parameter. Once the caller regains control we will reach our RETURN. The Ret instruction will be used to pop the overwritten saved return address which was corrupted. This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform. Versions tested: IBM System i Access for Windows V6R1M0 version 06.01.0001.0000a Which bundles pcsws.exe version 5090.27271.709 Tested on: Microsoft Windows XP [Version 5.1.2600] Microsoft Windows Vista [Version 6.0.6002] Microsoft Windows 7 [Version 6.1.7600] Authors: - TecR0c <roccogiovannicalvi@gmail.com> -
IBM Tivoli Endpoint Manager POST Query Buffer Overflow
Disclosure Date: 2011-05-31First seen: 2020-04-26exploit/windows/http/ibm_tivoli_endpoint_bofThis module exploits a stack based buffer overflow in the way IBM Tivoli Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query arguments. This issue can be triggered by sending a specially crafted HTTP POST request to the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization is required. This exploit makes use of a second vulnerability, a hardcoded account (tivoli/boss) is used to bypass the authorization restriction. Authors: - bannedit <bannedit@metasploit.com> - Jeremy Brown <0xjbrown@gmail.com> -
Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
Disclosure Date: 2011-05-24First seen: 2020-04-26exploit/windows/lotus/lotusnotes_lzhThis module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net Authors: - binaryhouse.net - alino <26alino@gmail.com> -
Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
Disclosure Date: 2011-05-24First seen: 2020-04-26exploit/windows/fileformat/lotusnotes_lzhThis module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net Authors: - binaryhouse.net - alino <26alino@gmail.com> -
IBM Lotus Domino iCalendar MAILTO Buffer Overflow
Disclosure Date: 2010-09-14First seen: 2020-04-26exploit/windows/lotus/domino_icalendar_organizerThis module exploits a vulnerability found in IBM Lotus Domino iCalendar. By sending a long string of data as the "ORGANIZER;mailto" header, process "nRouter.exe" crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to gain arbitrary code execution. Note: In order to trigger the vulnerable code path, a valid Domino mailbox account is needed. Authors: - A. Plaskett - sinn3r <sinn3r@metasploit.com> -
Apache Tomcat Manager Application Deployer Authenticated Code Execution
Disclosure Date: 2009-11-09First seen: 2020-04-26exploit/multi/http/tomcat_mgr_deployThis module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. Authors: - jduck <jduck@metasploit.com> -
Apache Tomcat Manager Authenticated Upload Code Execution
Disclosure Date: 2009-11-09First seen: 2020-04-26exploit/multi/http/tomcat_mgr_uploadThis module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. Authors: - rangercha
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details