• VirtualBox 3D Acceleration Virtual Machine Escape
    Disclosure Date: 2014-03-11
    First seen: 2020-04-26
    exploit/windows/local/virtual_box_opengl_escape
    This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a sequence of specially crafted rendering messages, a virtual machine can exploit an out of bounds array access to corrupt memory and escape to the host. This module has been tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6. Authors: - Francisco Falcon - Florian Ledoux - juan vazquez <juan.vazquez@metasploit.com>
  • Oracle Demantra Database Credentials Leak
    Disclosure Date: 2014-02-28
    First seen: 2020-04-26
    auxiliary/scanner/http/oracle_demantra_database_credentials_leak
    This module exploits a database credentials leak found in Oracle Demantra 12.2.1 in combination with an authentication bypass. This way an unauthenticated user can retrieve the database name, username and password on any vulnerable machine. Authors: - Oliver Gruskovnjak
  • Oracle Demantra Arbitrary File Retrieval with Authentication Bypass
    Disclosure Date: 2014-02-28
    First seen: 2020-04-26
    auxiliary/scanner/http/oracle_demantra_file_retrieval
    This module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By combining these exposures, an unauthenticated user can retrieve any file on the system by referencing the full file path to any file a vulnerable machine. Authors: - Oliver Gruskovnjak
  • Oracle Demantra Arbitrary File Retrieval with Authentication Bypass
    Disclosure Date: 2014-02-28
    First seen: 2020-04-26
    auxiliary/scanner/http/oracle_demantra_file_retrieval
    This module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By combining these exposures, an unauthenticated user can retrieve any file on the system by referencing the full file path to any file a vulnerable machine. Authors: - Oliver Gruskovnjak
  • Oracle Demantra Database Credentials Leak
    Disclosure Date: 2014-02-28
    First seen: 2020-04-26
    auxiliary/scanner/http/oracle_demantra_database_credentials_leak
    This module exploits a database credentials leak found in Oracle Demantra 12.2.1 in combination with an authentication bypass. This way an unauthenticated user can retrieve the database name, username and password on any vulnerable machine. Authors: - Oliver Gruskovnjak
  • Apache Commons FileUpload and Apache Tomcat DoS
    Disclosure Date: 2014-02-06
    First seen: 2020-04-26
    auxiliary/dos/http/apache_commons_fileupload_dos
    This module triggers an infinite loop in Apache Commons FileUpload 1.0 through 1.3 via a specially crafted Content-Type header. Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50 and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also uses Commons FileUpload as part of the Manager application. Authors: - Unknown - ribeirux
  • Oracle Forms and Reports Remote Code Execution
    Disclosure Date: 2014-01-15
    First seen: 2020-04-26
    exploit/multi/http/oracle_reports_rce
    This module uses two vulnerabilities in Oracle Forms and Reports to get remote code execution on the host. The showenv url can be used to disclose information about a server. A second vulnerability that allows arbitrary reading and writing to the host filesystem can then be used to write a shell from a remote url to a known local path disclosed from the previous vulnerability. The local path being accessible from an URL allows an attacker to perform the remote code execution using, for example, a .jsp shell. This module was tested successfully on Windows and Oracle Forms and Reports 10.1. Authors: - miss_sudo <security@netinfiltration.com> - Mekanismen <mattias@gotroot.eu>
  • Oracle Forms and Reports Remote Code Execution
    Disclosure Date: 2014-01-15
    First seen: 2020-04-26
    exploit/multi/http/oracle_reports_rce
    This module uses two vulnerabilities in Oracle Forms and Reports to get remote code execution on the host. The showenv url can be used to disclose information about a server. A second vulnerability that allows arbitrary reading and writing to the host filesystem can then be used to write a shell from a remote url to a known local path disclosed from the previous vulnerability. The local path being accessible from an URL allows an attacker to perform the remote code execution using, for example, a .jsp shell. This module was tested successfully on Windows and Oracle Forms and Reports 10.1. Authors: - miss_sudo <security@netinfiltration.com> - Mekanismen <mattias@gotroot.eu>
  • Java storeImageArray() Invalid Array Indexing Vulnerability
    Disclosure Date: 2013-08-12
    First seen: 2020-04-26
    exploit/multi/browser/java_storeimagearray
    This module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn't bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems. Authors: - Unknown - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
  • Oracle Endeca Server Remote Command Execution
    Disclosure Date: 2013-07-16
    First seen: 2020-04-26
    exploit/windows/http/oracle_endeca_exec
    This module exploits a command injection vulnerability on the Oracle Endeca Server 7.4.0. The vulnerability exists on the createDataStore method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. In addition, the injection has been found to be Windows specific. This module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits). Authors: - rgod <rgod@autistici.org> - juan vazquez <juan.vazquez@metasploit.com>
  • IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
    Disclosure Date: 2013-06-20
    First seen: 2020-04-26
    auxiliary/scanner/ipmi/ipmi_dumphashes
    This module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300. Authors: - Dan Farmer <zen@fish2.com> - hdm <x@hdm.io>
  • Java Applet ProviderSkeleton Insecure Invoke Method
    Disclosure Date: 2013-06-18
    First seen: 2020-04-26
    exploit/multi/browser/java_jre17_provider_skeleton
    This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier. Authors: - Adam Gowdiak - Matthias Kaiser
  • Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution
    Disclosure Date: 2013-04-16
    First seen: 2020-04-26
    exploit/windows/browser/oracle_webcenter_checkoutandopen
    This module exploits a vulnerability found in the Oracle WebCenter Content CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where user controlled input is used to call ShellExecuteExW(). This module abuses the control to execute an arbitrary HTA from a remote location. This module has been tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle WebCenter Content 11.1.1.6.0. Authors: - rgod <rgod@autistici.org> - juan vazquez <juan.vazquez@metasploit.com>
  • Java CMM Remote Code Execution
    Disclosure Date: 2013-03-01
    First seen: 2020-04-26
    exploit/windows/browser/java_cmm
    This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com>
  • Java Applet JMX Remote Code Execution
    Disclosure Date: 2013-01-19
    First seen: 2020-04-26
    exploit/multi/browser/java_jre17_jmxbean_2
    This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user. Authors: - Unknown - Adam Gowdiak - SecurityObscurity - juan vazquez <juan.vazquez@metasploit.com>
  • Java Applet JMX Remote Code Execution
    Disclosure Date: 2013-01-10
    First seen: 2020-04-26
    exploit/multi/browser/java_jre17_jmxbean
    This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier. Authors: - Unknown - egypt <egypt@metasploit.com> - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
  • Java Applet Driver Manager Privileged toString() Remote Code Execution
    Disclosure Date: 2013-01-10
    First seen: 2020-04-26
    exploit/multi/browser/java_jre17_driver_manager
    This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass. Authors: - James Forshaw - juan vazquez <juan.vazquez@metasploit.com>
  • Java Applet Reflection Type Confusion Remote Code Execution
    Disclosure Date: 2013-01-10
    First seen: 2020-04-26
    exploit/multi/browser/java_jre17_reflection_types
    This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass. Authors: - Jeroen Frijters - juan vazquez <juan.vazquez@metasploit.com>
  • Oracle MySQL for Microsoft Windows FILE Privilege Abuse
    Disclosure Date: 2012-12-01
    First seen: 2020-04-26
    exploit/windows/mysql/mysql_start_up
    This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers. This module abuses the FILE privilege to write a payload to Microsoft's All Users Start Up directory which will execute every time a user logs in. The default All Users Start Up directory used by the module is present on Windows 7. Authors: - sinn3r <sinn3r@metasploit.com> - Sean Verity <veritysr1980@gmail.com>
  • Oracle MySQL for Microsoft Windows MOF Execution
    Disclosure Date: 2012-12-01
    First seen: 2020-04-26
    exploit/windows/mysql/mysql_mof
    This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers (due to the use of a .mof file). This may result in arbitrary code execution under the context of SYSTEM. This module requires a valid MySQL account on the target machine. Authors: - kingcope - sinn3r <sinn3r@metasploit.com>
80 metasploit modules found
1 2 3 4
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!