• Sudo Heap-Based Buffer Overflow
    Disclosure Date: 2021-01-26
    First seen: 2021-03-12
    exploit/linux/local/sudo_baron_samedit
    A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this implementation leverages the overflow to overwrite a service_user struct in memory to reference an attacker controlled library which results in it being loaded with the elevated privileges held by sudo. Authors: - Qualys - Spencer McIntyre - bwatters-r7 - smashery - blasty <blasty@fail0verflow.com> - worawit - Alexander Krog
  • McAfee ePolicy Orchestrator Authenticated XXE Credentials Exposure
    Disclosure Date: 2015-01-06
    First seen: 2020-04-26
    auxiliary/gather/mcafee_epo_xxe
    This module will exploit an authenticated XXE vulnerability to read the keystore.properties off of the filesystem. This properties file contains an encrypted password that is set during installation. What is interesting about this password is that it is set as the same password as the database 'sa' user and of the admin user created during installation. This password is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default, if installed with a local SQL Server instance, the SQL Server is listening on all interfaces. Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server user in order to achieve remote command execution with permissions of the database process. If the administrator has not changed the password for the initially created account since installation, the attacker will have the password for this account. By default, 'admin' is recommended. Any user account can be used to exploit this, all that is needed is a valid credential. The most data that can be successfully retrieved is 255 characters due to length restrictions on the field used to perform the XXE attack. Authors: - Brandon Perry <bperry.volatile@gmail.com>
  • McAfee ePolicy Orchestrator Authenticated XXE Credentials Exposure
    Disclosure Date: 2015-01-06
    First seen: 2020-04-26
    auxiliary/gather/mcafee_epo_xxe
    This module will exploit an authenticated XXE vulnerability to read the keystore.properties off of the filesystem. This properties file contains an encrypted password that is set during installation. What is interesting about this password is that it is set as the same password as the database 'sa' user and of the admin user created during installation. This password is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default, if installed with a local SQL Server instance, the SQL Server is listening on all interfaces. Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server user in order to achieve remote command execution with permissions of the database process. If the administrator has not changed the password for the initially created account since installation, the attacker will have the password for this account. By default, 'admin' is recommended. Any user account can be used to exploit this, all that is needed is a valid credential. The most data that can be successfully retrieved is 255 characters due to length restrictions on the field used to perform the XXE attack. Authors: - Brandon Perry <bperry.volatile@gmail.com>
  • McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability
    Disclosure Date: 2012-04-30
    First seen: 2020-04-26
    exploit/windows/browser/mcafee_mvt_exec
    This module exploits a vulnerability found in McAfee Virtual Technician's MVTControl. This ActiveX control can be abused by using the GetObject() function to load additional unsafe classes such as WScript.Shell, therefore allowing remote code execution under the context of the user. Authors: - rgod - sinn3r <sinn3r@metasploit.com>
  • McAfee Visual Trace ActiveX Control Buffer Overflow
    Disclosure Date: 2007-07-07
    First seen: 2020-04-26
    exploit/windows/browser/mcafeevisualtrace_tracetarget
    This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the "TraceTarget()" method, an attacker may be able to execute arbitrary code. Authors: - MC <mc@metasploit.com>
  • McAfee Subscription Manager Stack Buffer Overflow
    Disclosure Date: 2006-08-01
    First seen: 2020-04-26
    exploit/windows/browser/mcafee_mcsubmgr_vsprintf
    This module exploits a flaw in the McAfee Subscription Manager ActiveX control. Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by passing a large string to one of the COM-exposed routines, such as IsAppExpired. This vulnerability was discovered by Karl Lynn of eEye. Authors: - skape <mmiller@hick.org>
  • McAfee ePolicy Orchestrator / ProtectionPilot Overflow
    Disclosure Date: 2006-07-17
    First seen: 2020-04-26
    exploit/windows/http/mcafee_epolicy_source
    This is an exploit for the McAfee HTTP Server (NAISERV.exe). McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are known to be vulnerable. By sending a large 'Source' header, the stack can be overwritten. This module is based on the exploit by xbxice and muts. Due to size constraints, this module uses the Egghunter technique. Authors: - muts <muts@remote-exploit.org> - xbxice <xbxice@yahoo.com> - hdm <x@hdm.io> - aushack <patrick@osisecurity.com.au>
7 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!