Exploits

Core Impact Threat Intelligence Exploits, Security and Penetration Testing Updates

When you buy Core Impact, we provide real-time updates including new penetration testing exploits and tests for additional platforms as they become available. We advise you of any new modules by email, after which you can download them directly from within Core Impact. All product updates are free during the license period. You're always on the cutting edge of vulnerability and threat intelligence because Core Impact keeps you there.

 

Use the controls below to navigate Core Impact exploits and other modules.

Title Description Vulnerabilty Category Platform
Microsoft Windows OpenType Font Driver Vulnerability Exploit (MS15-078) Update 3

This module exploits a vulnerability in "atmfd.dll" Windows driver by loading a crafted OTF font.

This update adds support to "Low Integrity Level" bypass for "Windows 8.1" 32 bits by using a kernel memory leak (CVE-2015-2433).

CVE-2015-2426 Exploits/Local Windows
Microsoft Windows Win32k SetParent Null Pointer Dereference Exploit (MS15-135)

This module exploits a vulnerability in win32k.sys by calling to SetParent function with crafted parameters.

CVE-2015-6171 Exploits/Local Windows
Linux Overlayfs ovl_setattr Local Privilege Escalation Exploit

This module exploits a vulnerability in Linux. The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

CVE-2015-8660 Exploits/Local Linux
Microsoft Windows OpenType Font Driver Vulnerability Exploit (MS15-078) Update 2

This module exploits a vulnerability in "atmfd.dll" Windows driver by loading a crafted OTF font.

This update adds support to "Low Integrity Level" bypass for "Windows 8.1" 64 bits and "Windows 2012" R2 by using a kernel memory leak (CVE-2015-2433).

Besides, this updates improves AV evasion.

CVE-2015-2426 Exploits/Local Windows
Microsoft Office COM Object els.dll based Binary Planting Exploit (MS15-132)

This module exploits a COM Server-based Binary Planting vulnerability on Microsoft Word to deploy an agent.

CVE-2015-6128 Exploits/Client Side Windows
Linux abrt sosreport Symlink Privilege Escalation Exploit

The sosreport program, a component of the ABRT bug reporting system used in Red Hat Enterprise Linux, does not handle symbolic links correctly when writing core dumps of ABRT programs to the ABRT dump directory (/var/tmp/abrt). This can be leveraged by local unprivileged attackers to gain root privileges on vulnerable systems.

CVE-2015-5287 Exploits/Local Linux
Jenkins Default Configuration Remote Code Execution Exploit

This module exploits a Jenkins command injection in order to install an agent.

NOCVE-9999-74942 Exploits/Remote Linux
Joomla User Agent Object Injection Exploit

This module exploits a remote code execution vulnerability in Joomla. The session handling code is susceptible to PHP Object Injection attacks due to lack of sanitization in some HTTP headers that are saved to the database session backend.

CVE-2015-8562 Exploits/OS Command Injection/Known Vulnerabilities Linux
Joomla com_contenthistory SQL Injection

This module exploits a SQL Injection vulnerability in Joomla which allows gathering of users and password hashes by parsing SQL output errors

CVE-2015-7297 Exploits/SQL Injection/Known Vulnerabilities Linux
AlienVault Unified Security Management av-forward Deserialization of Untrusted Data Exploit

This update introduces an exploit for AlienVault Unified Security Management. A vulnerability exists in the av-forward daemon running in AlienVault Unified Security Management appliances. The daemon accepts serialized Python and proceeds to deserialize it without proper validation, allowing unauthenticated arbitrary code execution.

NOCVE-9999-74938 Exploits/Remote
VMware vCenter Server Java JMX-RMI Remote Code Execution Exploit

VMware vCenter Server is prone to a remote vulnerability that allows attackers to take advantage of an insecure deployment of the JMX/RMI service used to manage and monitor the Java Virtual Machine.

By exploiting known methods, it is possible to remotely load an MLet file from an attacker controlled web server that points at a, also controlled, jar file.

CVE-2015-2342 Exploits/Remote Windows
SolarWinds Application Monitor TSUnicodeGraphEditorControl factory Buffer Overflow Exploit Update 2

The specific flaw exists within the 'factory' object's loadExtensionFactory method. The issue lies in a failure to validate the size of an attacker-supplied input before copying it into a fixed-size buffer on the stack. An attacker can leverage this vulnerability to execute code under the context of the current process.
This version add x86_64 support and improves reliability.

CVE-2015-1500 Exploits/Client Side Windows
Microsoft Windows Media Center MCL URL File Disclosure Exploit (MS15-134)

Windows Media Center MCL files can specify a URL to be automatically loaded within Media Center.

A specially crafted MCL file can trick Windows Media Center into rendering the very same MCL file as a local HTML file within the application's embedded web browser. This can be leveraged by an attacker to read and exfiltrate arbitrary files from a victim's local fileystem by convincing an unsuspecting user to open an MCL file.

CVE-2015-6127 Exploits/Client Side Windows
Borland AccuRev Reprise License Server edit_lf_process Write Arbitrary Files Exploit Update 2

The specific flaw exists within the edit_lf_process resource of the AccuRev Reprise License Manager service. The issue lies in the ability to write arbitrary files with controlled data. An attacker could leverage this vulnerability to execute arbitrary code under the context of SYSTEM.
This update introduces a number of improvements related to the architecture
of the agent installed and scenarios where multiple targets are tested.
This update adds reliability.

NOCVE-9999-74481 Exploits/Remote Windows
Symantec Endpoint Protection Manager Java Library Deserialization Vulnerability Remote Code Execution Exploit

Symantec Endpoint Protection Manager is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution.

CVE-2015-6555 Exploits/Remote Windows
Oracle WebLogic Server commons-collections Java Library Deserialization Vulnerability Remote Code Execution Exploit Update

Oracle WebLogic Server is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution.

This update add proper CVE number and more supported platforms.

CVE-2015-4852 Exploits/Remote Solaris, Windows, Linux
Kaspersky Antivirus ThinApp Parser Exploit

Kaspersky Antivirus is prone to a buffer overflow when handling a specially crafted ThinApp compressed file.

NOCVE-9999-74927 Exploits/Client Side Windows
Oracle WebLogic Server commons-collections Java Library Deserialization Vulnerability Remote Code Execution Exploit

Oracle WebLogic Server is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution.

CVE-2015-4852 Exploits/Remote Solaris, Windows, Linux
JBoss commons-collections Java Library Deserialization Vulnerability Remote Code Execution Exploit

JBoss Application Server is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution.

NOCVE-9999-74929 Exploits/Remote Code Execution Windows, Linux
Jenkins commons-collections Java Library Deserialization Vulnerability Remote Code Execution Exploit

Jenkins is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution.

NOCVE-9999-74930 Exploits/Remote Code Execution Windows, Linux
Moxa VPort SDK Plus ActiveX Exploit

The specific flaw exists within the VPORTSDK.VPortSDKCtrl.1 ActiveX control. By passing an overly long string to the GetClientReg method's Name parameter.

CVE-2015-0986 Exploits/Client Side Windows
IBM WebSphere commons-collections Java Library Deserialization Vulnerability Remote Code Execution Exploit

IBM WebSphere Application Server is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary java objects leading to remote code execution.

NOCVE-9999-74928 Exploits/Remote Code Execution Windows
HP LoadRunner Controller Scenario File Buffer Overflow Exploit

The specific flaw exists within the handling of scenario files (.lrs). By manipulating a scenario file's values, an attacker can cause a fixed-length stack buffer to overflow.

CVE-2015-5426 Exploits/Client Side Windows
Borland AccuRev Reprise License Server edit_lf_process Write Arbitrary Files Exploit Update

The specific flaw exists within the edit_lf_process resource of the AccuRev Reprise License Manager service. The issue lies in the ability to write arbitrary files with controlled data. An attacker could leverage this vulnerability to execute arbitrary code under the context of SYSTEM.
This update introduces a number of improvements related to the architecture
of the agent installed and scenarios where multiple targets are tested.

NOCVE-9999-74481 Exploits/Remote Windows
ManageEngine EventLog Analyzer Exploit

ManageEngine EventLog Analyzer is vulnerable to abuse a SQL query functionality that allows attackers to insert and export a crafted JSP using 'guest' credentials allowing us to install an agent.

CVE-2015-7387 Exploits/Remote Windows
Linux fusermount Environment Variable Privilege Escalation Exploit

The 'fusermount' binary, part of the FUSE system in Linux, executes the /bin/mount binary with ruid set to 0 without clearing the environment variables provided by unprivileged users.

This flaw can be leveraged by local unprivileged users to gain root privileges by leveraging the functionality provided by the LIBMOUNT_MTAB environment variable to overwrite an arbitrary file on the affected system.

CVE-2015-3202 Exploits/Local Linux
Adobe Flash Player Exploits Improvements

This update introduces variations in the SWF files of "Adobe Flash Player ByteArray valueOf Use-After-Free Exploit" and "Adobe Flash Player shared ByteArray Use-After-Free Exploit" modules to avoid antivirus signatures.

CVE-2015-5119 Exploits/Client Side Windows
Symantec Endpoint Protection Kernel Pool Overflow Privilege Escalation Exploit Update

Buffer overflow in the sysplant driver in Symantec Endpoint Protection (SEP) Client 11.x and 12.x before 12.1 RU4 MP1b, and Small Business Edition before SEP 12.1, allows local users to execute arbitrary code via a long argument to a 0x00222084 IOCTL call.

CVE-2014-3434 Exploits/Local Windows
HP Client Automation Remote Code Execution Exploit

This module exploits a command injection vulnerability in HP Client Automation. The flaw exists within the radexecd.exe component which listens by default on TCP port 3465. When handling a remote execution request the process does not properly authenticate the user issuing the request. The command to be executed is also not properly sanitized. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of SYSTEM.

Authentication is not required to exploit this vulnerability.

CVE-2015-1497 Exploits/Remote Windows, Mac OS X, Linux
ElasticSearch Search Groovy Sandbox Bypass Remote Execution Exploit

A vulnerability in ElasticSearch versions 1.4.0 to 1.4.2 allows execution of unsandboxed Groovy code. This module installs an OS agent in vulnerable targets.

CVE-2015-1427 Exploits/Remote Windows, Linux