exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 76 RSS Feed

Files from wvu

First Active2013-10-30
Last Active2023-11-14
F5 BIG-IP TMUI Directory Traversal / File Upload / Code Execution
Posted Nov 14, 2023
Authored by wvu, Mikhail Klyuchnikov | Site metasploit.com

This Metasploit module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell (TMSH). The escape may not be reliable, and you may have to run the exploit multiple times. Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2, 15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4. Tested against the VMware OVA release of 14.1.2.

tags | exploit, shell, root
systems | unix
advisories | CVE-2020-5902
SHA-256 | 9f3da84fe52bba475dcd0252ca14c6e0af76dd98df5d1edaaccc7c9a737db2bb
VMware Workspace ONE Access Template Injection / Command Execution
Posted May 3, 2022
Authored by mr_me, wvu, Udhaya Prakash | Site metasploit.com

This Metasploit module exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) vulnerability in VMware Workspace ONE Access, to execute shell commands as the horizon user.

tags | exploit, shell
advisories | CVE-2022-22954
SHA-256 | bf4114fce190a8b9bc1f2bfc2013620b04b05e7030c7cc59f3d685b8db2038b1
WSO Arbitrary File Upload / Remote Code Execution
Posted May 2, 2022
Authored by Orange Tsai, wvu, hakivvi, Jack Heysel | Site metasploit.com

This Metasploit module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.

tags | exploit, remote, code execution, file upload
advisories | CVE-2022-29464
SHA-256 | 7bdab9b3101da4ba2df8ff1f6a558171e4d8a503d4d44bcbaf0347587fa69a4d
ManageEngine ServiceDesk Plus Remote Code Execution
Posted Dec 28, 2021
Authored by wvu, Y4er | Site metasploit.com

This Metasploit module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build.

tags | exploit, remote, code execution, file upload
advisories | CVE-2021-44077
SHA-256 | 244ae2538bc9ec8f90e308561999a95ddf997764203cb31dbd2e32b039b73273
ManageEngine ADSelfService Plus Authentication Bypass / Code Execution
Posted Nov 27, 2021
Authored by mr_me, wvu, Wilfried Becard, Antoine Cervoise | Site metasploit.com

This Metasploit module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.

tags | exploit, bypass
advisories | CVE-2021-40539
SHA-256 | 258a080b77eaface80577b4886f47493eafef016bf16d63a1567107d6f5b76cd
Sophos UTM WebAdmin SID Command Injection
Posted Oct 28, 2021
Authored by wvu, Justin Kennedy | Site metasploit.com

This Metasploit module exploits an SID-based command injection in Sophos UTM's WebAdmin interface to execute shell commands as the root user.

tags | exploit, shell, root
advisories | CVE-2020-25223
SHA-256 | e60408784254ddfee031c720b657d15c09df5d27e903311833f4a7f181588725
Microsoft OMI Management Interface Authentication Bypass
Posted Oct 28, 2021
Authored by Spencer McIntyre, wvu, Nir Ohfeld, Shir Tamari | Site metasploit.com

By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).

tags | exploit, web, root
advisories | CVE-2021-38647
SHA-256 | fdef0aef0e912b6be1749a8d91235a8ce5f95d8c64ee36efaa66917951a81206
VMware vCenter Server Analytics (CEIP) Service File Upload
Posted Oct 7, 2021
Authored by VMware, Derek Abdine, wvu, Sergey Gerasimov, George Noseevich | Site metasploit.com

This Metasploit module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.

tags | exploit, shell, root, file upload
advisories | CVE-2021-22005
SHA-256 | 036b2591e4ef8beb3558c821f06ea5bf7c27f8226edd7019163d2a719de158ac
Atlassian Confluence WebWork OGNL Injection
Posted Sep 10, 2021
Authored by wvu, Jang, Benny Jacob | Site metasploit.com

This Metasploit module exploits an OGNL injection in Atlassian Confluence's WebWork component to execute commands as the Tomcat user.

tags | exploit
advisories | CVE-2021-26084
SHA-256 | 78b308738c153a19545165ba47b4b15d6c0473eedcb99a8170d7a8e03183480a
Microsoft Exchange ProxyShell Remote Code Execution
Posted Aug 20, 2021
Authored by Spencer McIntyre, Orange Tsai, wvu, Ramella Sebastien, Jang, PeterJson, brandonshi123 | Site metasploit.com

This Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2021-31207, CVE-2021-34473, CVE-2021-34523
SHA-256 | b555cd3b9862ec567195ff3003e6dc453483630a7c663ee17d582778c11dbf59
Lucee Administrator imgProcess.cfm Arbitrary File Write
Posted Aug 17, 2021
Authored by wvu, iamnoooob, rootxharsh | Site metasploit.com

This Metasploit module exploits an arbitrary file write in Lucee Administrator's imgProcess.cfm file to execute commands as the Tomcat user.

tags | exploit, arbitrary
advisories | CVE-2021-21307
SHA-256 | b2e56cd428c174bc04f6acc23c21f34ae6d9df79b2c9d12ca9619993ff6fa4b9
VMware vCenter Server Virtual SAN Health Check Remote Code Execution
Posted Jul 13, 2021
Authored by wvu, Ricter Z | Site metasploit.com

This Metasploit module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. Tested against VMware vCenter Server 6.7 Update 3m (Linux appliance

tags | exploit, java
systems | linux
advisories | CVE-2021-21985
SHA-256 | bdb3128591e803fa1beff81827096bb294a0b4124989ab73f3593b99e35faca8
Microsoft SharePoint Unsafe Control And ViewState Remote Code Execution
Posted Jun 17, 2021
Authored by unknown, Spencer McIntyre, wvu | Site metasploit.com

The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user supplied data. This can be leveraged by an attacker to leak sensitive information in rendered-preview content. This module will leak the ViewState validation key and then use it to sign a crafted object that will trigger code execution when deserialized. Tested against SharePoint 2019 and SharePoint 2016, both on Windows Server 2016.

tags | exploit, code execution
systems | windows
advisories | CVE-2021-31181
SHA-256 | 5dcb06868c15ec6031a011204cbd74de26b37669890217421638293a9f77e49b
Cisco HyperFlex HX Data Platform File Upload / Remote Code Execution
Posted Jun 17, 2021
Authored by wvu, Mikhail Klyuchnikov, jheysel-r7, Nikita Abramov | Site metasploit.com

This Metasploit module exploits an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform's /upload endpoint to upload and execute a payload as the Tomcat user.

tags | exploit, file upload
systems | cisco
advisories | CVE-2021-1499
SHA-256 | f5c93c1dbb7c46d018f80b02b7e8b65d92e05da4eaa8f1ef27222f385aefb954
Cisco HyperFlex HX Data Platform Command Execution
Posted Jun 4, 2021
Authored by wvu, Mikhail Klyuchnikov, Nikita Abramov | Site metasploit.com

This Metasploit module exploits an unauthenticated command injection in Cisco HyperFlex HX Data Platform's /storfs-asup endpoint to execute shell commands as the Tomcat user.

tags | exploit, shell
systems | cisco
advisories | CVE-2021-1497, CVE-2021-1498
SHA-256 | 0a1aa0b824e15e84195c2385f8bf0e7dc95224435e2865997906be79faf81ba6
NetMotion Mobility Server MvcUtil Java Deserialization
Posted May 18, 2021
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits an unauthenticated Java deserialization in the NetMotion Mobility server's MvcUtil.valueStringToObject() method, as invoked through the /mobility/Menu/isLoggedOn endpoint, to execute code as the SYSTEM account. Mobility server versions 11.x before 11.73 and 12.x before 12.02 are vulnerable. Tested against 12.01.09045 on Windows Server 2016.

tags | exploit, java
systems | windows
advisories | CVE-2021-26914
SHA-256 | 98d5e63a61fd5e20065bed1c5d49729a43d215ca4759d51680b7ba3f830ad751
VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution
Posted Apr 27, 2021
Authored by wvu, Egor Dimitrenko | Site metasploit.com

This Metasploit module exploits a pre-auth server-side request forgery (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the "admin" Unix user.

tags | exploit, code execution
systems | unix
advisories | CVE-2021-21975, CVE-2021-21983
SHA-256 | 8fb3fd3d2660db09b165a788ebbd4aab98bfde09593d01e190121efb5d69716d
Apache OFBiz SOAP Java Deserialization
Posted Apr 6, 2021
Authored by Spencer McIntyre, wvu, yumusb | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for versions prior to 17.12.06.

tags | exploit, java
advisories | CVE-2021-26295
SHA-256 | 1a3d79d4b32857119cfd6ad9c273dd5c7dfc3e857b95b83ad391b6001cc0de14
F5 iControl Server-Side Request Forgery / Remote Command Execution
Posted Apr 1, 2021
Authored by wvu, Rich Warren | Site metasploit.com

This Metasploit module exploits a pre-authentication server-side request forgery vulnerability in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device.

tags | exploit, root
advisories | CVE-2021-22986
SHA-256 | af88cb0e39f85d5705c7b101b5d8123cacf7ab8455f5fc35d14ea16b6fc75d0d
Advantech iView Unauthenticated Remote Code Execution
Posted Mar 23, 2021
Authored by Spencer McIntyre, wvu | Site metasploit.com

This Metasploit module exploits an unauthenticated configuration change combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM. This issue was demonstrated in the vulnerable version 5.7.02.5992 and fixed in version 5.7.03.6112.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2021-22652
SHA-256 | 871b6bdcb75f943757231fe70d369aecb3bf02147c4c50b85ea3a12f3efaabe4
VMware View Planner 4.6 Remote Code Execution
Posted Mar 19, 2021
Authored by wvu, Grant Willcox, Mikhail Klyuchnikov | Site metasploit.com

This Metasploit module exploits an unauthenticated log file upload within the log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 Security Patch 1. Successful exploitation will result in remote code execution as the apache user inside the appacheServer Docker container.

tags | exploit, remote, code execution, file upload
advisories | CVE-2021-21978
SHA-256 | 379b0cbe47bd964e0aa4ad293ae73ca2ada00daefc19072ca7c7c1d184c798cd
Apache OFBiz XML-RPC Java Deserialization
Posted Mar 12, 2021
Authored by Alvaro Munoz, wvu | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for versions prior to 17.12.04.

tags | exploit, java
advisories | CVE-2020-9496
SHA-256 | 92c0cbc161c309a9ee69f4716d1ce3b791ab490da8ad91b396463bbefc0310d2
VMware vCenter Server File Upload / Remote Code Execution
Posted Mar 8, 2021
Authored by mr_me, wvu, Mikhail Klyuchnikov, Viss | Site metasploit.com

This Metasploit module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitable via the webshell technique. Furthermore, writing an SSH public key to /home/vsphere-ui/.ssh/authorized_keys works, but the user's non-existent password expires 90 days after install, rendering the technique nearly useless against production environments. You'll have the best luck targeting older versions of the Linux appliance. The Windows target should work ubiquitously.

tags | exploit, web, file upload
systems | linux, windows
advisories | CVE-2021-21972
SHA-256 | ee1f708da8c9cdb296637b11bf11d0e1c52209633c21780eca035b11e77bfd1d
MobileIron MDM Hessian-Based Java Deserialization Remote Code Execution
Posted Jan 25, 2021
Authored by Orange Tsai, wvu, iamnoooob, rootxharsh | Site metasploit.com

This Metasploit module exploits an ACL bypass in MobileIron MDM products to execute a Groovy gadget against a Hessian-based Java deserialization endpoint.

tags | exploit, java
advisories | CVE-2020-15505
SHA-256 | 5c0db542beea98b42c60393d60ff136e823dca9b8c1933fb194541ebcc3d1e48
Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow
Posted Dec 17, 2020
Authored by wvu, Hacker Fantastic, Jeffrey Martin, Aaron Carreras, Jacob Thompson | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary.

tags | exploit, overflow, x86
systems | solaris
advisories | CVE-2020-14871
SHA-256 | 255a53ba4764640c38d52b8d61674d66f25d7a11c08ebc0d8b26cc5cdb1d4ace
Page 1 of 4
Back1234Next

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close