exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 26 RSS Feed

Files from Jacob Baines

First Active2016-10-21
Last Active2023-10-02
Juniper SRX Firewall / EX Switch Remote Code Execution
Posted Oct 2, 2023
Authored by Ron Bowes, Jacob Baines, jheysel-r7 | Site metasploit.com

This Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.

tags | exploit, web, root, php, protocol
systems | freebsd, bsd, juniper
advisories | CVE-2023-36845
SHA-256 | 23552b23e1cc0e2022181944f8894c8f7203e6893e7d1127561c3ffd867b9517
GitLab 13.10.2 Remote Code Execution
Posted Nov 17, 2021
Authored by Jacob Baines

GitLab version 13.10.2 remote code execution exploit that provides a reverse shell.

tags | exploit, remote, shell, code execution
advisories | CVE-2021-22204, CVE-2021-22205
SHA-256 | a3816f4a73b68abc9aa497e0982428e2bde3d7b0a005094907ca8484d9f39f60
SonicWall SMA 10.2.1.0-17sv Password Reset
Posted Oct 20, 2021
Authored by Jacob Baines

SonicWall SMA version 10.2.1.0-17sv suffers from a remote password reset vulnerability.

tags | exploit, remote
advisories | CVE-2021-20034
SHA-256 | 1d7256a24120e085899614766e31ffce8d24fab7f97df961712c94b274e8994d
Lexmark Driver Privilege Escalation
Posted Aug 12, 2021
Authored by Jacob Baines, Shelby Pace, Grant Willcox | Site metasploit.com

Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenticated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\<driver name>\Universal Color Laser.gdl to replace the DLL path to unires.dll with a malicious DLL path. When C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs is then used to add the printer to the affected system, PrintIsolationHost.exe, a Windows process running as NT AUTHORITY\SYSTEM, will inspect the C:\ProgramData\<driver name>\Universal Color Laser.gdl file and will load the malicious DLL from the path specified in the file. This which will result in the malicious DLL executing as NT AUTHORITY\SYSTEM. Once this module is finished, it will use the prnmngr.vbs script to remove the printer it added.

tags | exploit
systems | windows
advisories | CVE-2021-35449
SHA-256 | db241e26cf8e485cbeaa7d359e18c68f4083f5cbe8615e284394323a682200d8
Canon TR150 Driver 3.71.2.10 Privilege Escalation
Posted Aug 11, 2021
Authored by Jacob Baines, Shelby Pace | Site metasploit.com

Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll with a malicious DLL at the right time whilst running the C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program, which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation will grant attackers code execution as the NT AUTHORITY\SYSTEM user. This Metasploit module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.

tags | exploit, local, code execution
systems | windows
advisories | CVE-2021-38085
SHA-256 | cba47a2c22f1ca9d11622a05f5196ad5f0cf5055087f98e8880fbd03d3be995d
Cisco IP Phone 11.7 Denial Of Service
Posted Apr 17, 2020
Authored by Jacob Baines

Cisco IP Phone version 11.7 denial of service proof of concept exploit.

tags | exploit, denial of service, proof of concept
systems | cisco
advisories | CVE-2020-3161
SHA-256 | 91023709bd06cb09c03533c7926183d762565f1ac3417ed227ca0ea133cc7045
Amcrest Dahua NVR Camera IP2M-841 Denial Of Service
Posted Apr 8, 2020
Authored by Jacob Baines

Amcrest Dahua NVR Camera IP2M-841 denial of service proof of concept exploit.

tags | exploit, denial of service, proof of concept
advisories | CVE-2020-5735
SHA-256 | b6300eb6dc0f7f07a90363c157630dcfcdcbf7b6e70a052d91c4c38aa8ce95ae
Grandstream UCM6200 Series CTI Interface SQL Injection
Posted Mar 31, 2020
Authored by Jacob Baines

Grandstream UCM6200 Series CTI Interface versions 1.0.20.20 and below suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2020-5726
SHA-256 | fcf24eefeddb201c346536166ab265e01a1416b56845436fbce588e35ef4d37b
Grandstream UCM6200 Series WebSocket 1.0.20.20 SQL Injection
Posted Mar 31, 2020
Authored by Jacob Baines

Grandstream UCM6200 Series WebSocket versions 1.0.20.20 and below suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2020-5725
SHA-256 | dbde0cbce4402b656e10575e77f62e63150d1c5371532197da758fe2d6e3a6a0
UCM6202 1.0.18.13 Remote Command Injection
Posted Mar 24, 2020
Authored by Jacob Baines

UCM6202 version 1.0.18.13 suffers from a remote command injection vulnerability.

tags | exploit, remote
advisories | CVE-2020-5722
SHA-256 | e44ddf6cc3933c936f1c38067b878120ae2306e3195079e894790e916bce59f5
Barco WePresent file_transfer.cgi Command Injection
Posted Jan 14, 2020
Authored by Jacob Baines | Site metasploit.com

This Metasploit module exploits an unauthenticated remote command injection vulnerability found in Barco WePresent and related OEM'ed products. The vulnerability is triggered via an HTTP POST request to the file_transfer.cgi endpoint.

tags | exploit, remote, web, cgi
advisories | CVE-2019-3929
SHA-256 | 30e838ce81c07ffc6eb59ae667a49dfa96e48b0d99660dc1f80dedd7f8c19b0b
MikroTik RouterOS 6.45.6 DNS Cache Poisoning
Posted Oct 31, 2019
Authored by Jacob Baines

MikroTik RouterOS version 6.45.6 DNS cache poisoning exploit.

tags | exploit
advisories | CVE-2019-3978
SHA-256 | a383237105abf2d8cd196092df38ab74a7bb21e90a231ec004bccdee62539d22
Amcrest Cameras 2.520.AC00.18.R Unauthenticated Audio Streaming
Posted Jul 30, 2019
Authored by Jacob Baines

Amcrest Cameras version 2.520.AC00.18.R suffers from an authentication bypass vulnerability allowing an attacker to retrieve audio streams.

tags | exploit, bypass
advisories | CVE-2019-3948
SHA-256 | 34cf3ecd349123700d9ee80c886a5fee2647aec2c36415ca9f6b58690d283c65
Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection
Posted May 3, 2019
Authored by Jacob Baines

Barco/AWIND OEM presentation platform suffers from an unauthenticated command injection vulnerability. Products affected include Crestron AM-100 1.6.0.2, Crestron AM-101 2.7.0.1, Barco wePresent WiPG-1000P 2.3.0.10, Barco wePresent WiPG-1600W before 2.4.1.19, Extron ShareLink 200/250 2.0.3.4, Teq AV IT WIPS710 1.1.0.7, InFocus LiteShow3 1.0.16, InFocus LiteShow4 2.0.0.7, Optoma WPS-Pro 1.0.0.5, Blackbox HD WPS 1.0.0.5, and SHARP PN-L703WA 1.4.2.3.

tags | exploit
advisories | CVE-2019-3929
SHA-256 | 07b81e3cae3917d99f37f08436aa15f487678be25518d0efca86b85ce630d94b
QNAP Netatalk Authentication Bypass
Posted Apr 5, 2019
Authored by Jacob Baines

QNAP Netatalk versions prior to 3.1.12 suffer from an authentication bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2018-1160
SHA-256 | 8726f3f9ab38929e4a013f5be7d72ab568578d6f058e4d2bc011093bdde53d91
Oracle Weblogic Server Deserialization RMI UnicastRef Remote Code Execution
Posted Apr 2, 2019
Authored by Jacob Baines, Aaron Soto, Andres Rodriguez | Site metasploit.com

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (sun.rmi.server.UnicastRef) to the interface to execute code on vulnerable hosts.

tags | exploit
advisories | CVE-2017-3248
SHA-256 | 7689bd250f236540a89962c75e10662698d550e3295c7ffa517147b01022d81f
Oracle Weblogic Server Deserialization MarshalledObject Remote Code Execution
Posted Apr 1, 2019
Authored by Jacob Baines, Aaron Soto, Andres Rodriguez | Site metasploit.com

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (weblogic.corba.utils.MarshalledObject) to the interface to execute code on vulnerable hosts.

tags | exploit
advisories | CVE-2016-3510
SHA-256 | 34887ed78f437dc71b9a27e469d90d560f20f0a52702a9df664219aa2a18b0f2
MikroTik RouterOS Firewall / NAT Bypass
Posted Feb 21, 2019
Authored by Jacob Baines

MikroTik RouterOS versions prior to 6.43.12 (stable) and 6.42.12 (long-term) firewall and NAT bypass exploit.

tags | exploit
advisories | CVE-2019-3924
SHA-256 | 76d8b41f9f478dd81cf50cfdd51f6592ff6a23a044fbd5ad0d719cc3c7cef3ac
Indusoft Web Studio 8.1 SP2 Remote Code Execution
Posted Feb 11, 2019
Authored by Jacob Baines

Indusoft Web Studio version 8.1 SP2 suffers from a remote code execution vulnerability.

tags | exploit, remote, web, code execution
advisories | CVE-2019-6543, CVE-2019-6545
SHA-256 | 172f1b393e16e90073a60eec389b5293b0c2c8c938d22107e508e058a1be074b
Netatalk Authentication Bypass
Posted Dec 21, 2018
Authored by Jacob Baines

Netatalk versions prior to 3.1.12 suffer from an authentication bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2018-1160
SHA-256 | 51cc419b02f4835a42ebe3c7b66a61c51ecb13389b696f0f310e6231976a1021
Mikrotik RouterOS Remote Root
Posted Oct 10, 2018
Authored by Jacob Baines

Mikrotik RouterOS versions 6.x suffer from a remote root code execution vulnerability.

tags | exploit, remote, root, code execution
advisories | CVE-2018-14847
SHA-256 | 3f8c52b062ca67ece824e00c875d47df8ead0831abf8803a9a4a87310336aa60
NUUO NVRMini2 3.8 Buffer Overflow
Posted Sep 19, 2018
Authored by Jacob Baines

NUUO NVRMini2 version 3.8 cgi_system buffer overflow exploit.

tags | exploit, overflow
SHA-256 | 2b0345e406aa5762d5b5e8b4a9fd8928fea8a9d53b01a3a7edc11adbd2ae76a5
HP Jetdirect Path Traversal Arbitrary Code Execution
Posted Aug 27, 2018
Authored by Jacob Baines | Site metasploit.com

This Metasploit module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. A large amount of printers are impacted.

tags | exploit, arbitrary, shell, code execution
advisories | CVE-2017-2741
SHA-256 | 6d49ac5c1a048f446f5501a2e5655bb13c4c90e6dff4cd28f9778208c5d72b62
HP PageWide / OfficeJet Pro Printers Arbitrary Code Execution
Posted Jun 14, 2017
Authored by Jacob Baines

HP PageWide and OfficeJet Pro printers suffer from an arbitrary code execution vulnerability.

tags | exploit, arbitrary, code execution
advisories | CVE-2017-2741
SHA-256 | 91426efc1ea9b5567578ab07e24060f0e45244531fccf1964663513d66da7575
Apache OpenMeetings 3.1.0 Remote Code Execution
Posted Nov 14, 2016
Authored by Jacob Baines

Apache OpenMeetings version 3.1.0 is vulnerable to remote code execution via an RMI deserialization attack.

tags | advisory, remote, code execution
advisories | CVE-2016-8736
SHA-256 | 14fd835d407717498ac3649c3d80122d8fe17e038241b3a0f82cdc72ae90739e
Page 1 of 2
Back12Next

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close