exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 18 of 18 RSS Feed

Files from Ron Bowes

First Active2009-05-21
Last Active2023-10-02
Juniper SRX Firewall / EX Switch Remote Code Execution
Posted Oct 2, 2023
Authored by Ron Bowes, Jacob Baines, jheysel-r7 | Site metasploit.com

This Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.

tags | exploit, web, root, php, protocol
systems | freebsd, bsd, juniper
advisories | CVE-2023-36845
SHA-256 | 23552b23e1cc0e2022181944f8894c8f7203e6893e7d1127561c3ffd867b9517
Sonicwall GMS 9.9.9320 Remote Code Execution
Posted Sep 8, 2023
Authored by Ron Bowes, fulmetalpackets | Site metasploit.com

This Metasploit module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions 9.9.9320 and below.

tags | exploit, remote, shell, vulnerability, code execution, sql injection
advisories | CVE-2023-34124, CVE-2023-34127, CVE-2023-34132, CVE-2023-34133
SHA-256 | 90d7acef05664be1e0b28da7f711f5c30f094179ef8916c47f28a2418a07056e
Citrix ADC (NetScaler) Remote Code Execution
Posted Aug 4, 2023
Authored by Ron Bowes, Spencer McIntyre, Douglass McKee | Site metasploit.com

A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.

tags | exploit, remote, web, overflow, root, code execution
advisories | CVE-2023-3519
SHA-256 | 94d1415f6fe455813346e8f6de25a1fa7b5b88484ea770a8bc9b669e25457a13
Rocket Software Unidata udadmin_server Authentication Bypass
Posted Apr 12, 2023
Authored by Ron Bowes | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server. This affects versions of UniData prior to 8.2.4 build 3003. This service typically runs as root. It accepts a username of ":local:" and a password in the form of "<username>:<uid>:<gid>", where username and uid must be a valid account, but gid can be anything except 0. This exploit takes advantage of this login account to authenticate as a chosen user and run an arbitrary command (using the built-in OsCommand message).

tags | exploit, arbitrary, local, root, bypass
systems | linux
advisories | CVE-2023-28503
SHA-256 | a072b9a39317b3843159b4f19550be453c524b06398e48145609bb5afa1a4475
Rocket Software Unidata 8.2.4 Build 3003 Buffer Overflow
Posted Apr 12, 2023
Authored by Ron Bowes | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server, which runs as root. This vulnerability affects UniData versions 8.2.4 build 3003 and earlier (for Linux), but this module specifically targets UniData version 8.2.4 build 3001. Other versions will crash the forked process, but will not otherwise affect the RPC server. The username and password fields are copied to a stack-based buffer using a function that's equivalent to strcpy() (ie, has no bounds checking). Additionally, the password field is encoded in such a way that we can include NUL bytes.

tags | exploit, root, bypass
systems | linux
advisories | CVE-2023-28502
SHA-256 | 573fc6e16c91d795c9424c33a9909a1277e50ad02e08eb5886ceb1a2e2610251
Fortra GoAnywhere MFT Unsafe Deserialization Remote Code Execution
Posted Feb 9, 2023
Authored by Ron Bowes | Site metasploit.com

This Metasploit module exploits an object deserialization vulnerability in Fortra GoAnywhere MFT.

tags | exploit
advisories | CVE-2023-0669
SHA-256 | 051497e68329329350b8fed17a087b6d124609bf8c23ea52d28ac047e63c6038
F5 Big-IP Create Administrative User
Posted Feb 3, 2023
Authored by Ron Bowes | Site metasploit.com

This Metasploit module creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways.

tags | exploit, local, root, vulnerability
advisories | CVE-2022-41622, CVE-2022-41800
SHA-256 | ec59a3d52e4d78cf9bacb372140fcd5f2f2c8928aed87fa348ad1aed6d0bcde0
F5 BIG-IP iControl Remote Command Execution
Posted Nov 24, 2022
Authored by Ron Bowes | Site metasploit.com

This Metasploit module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.

tags | exploit, remote, root, code execution
advisories | CVE-2022-41800
SHA-256 | ab0811cdeca1e7b40855fbeb9922d915dac86f0ccb16efdb3855d5d39ebf43ac
F5 BIG-IP iControl Cross Site Request Forgery
Posted Nov 21, 2022
Authored by Ron Bowes | Site metasploit.com

This Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.

tags | exploit, web, arbitrary, root, csrf
advisories | CVE-2022-41622
SHA-256 | 0942abdee0725fc32a285ecb9a23fb1bfe3ecc058946e6d59dda0de6b91cbca4
Zimbra Collaboration Suite TAR Path Traversal
Posted Oct 20, 2022
Authored by Ron Bowes, Alexander Cherepanov, yeak | Site metasploit.com

This Metasploit module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions Zimbra Collaboration Suite 9.0.0 Patch 26 and below and Zimbra Collaboration Suite 8.8.15 Patch 33 and below.

tags | exploit, web, arbitrary
systems | linux, redhat
advisories | CVE-2015-1197, CVE-2022-41352
SHA-256 | ce92bc8cd0b896bbf1bbebcee5677a9a8619813aaba32b6be0cfc98fba18d5b5
Zimbra Privilege Escalation
Posted Oct 19, 2022
Authored by Ron Bowes, EvergreenCartoons | Site metasploit.com

This Metasploit module exploits a vulnerable sudo configuration that permits the Zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shellscripts, which means it can execute a root shell.

tags | exploit, arbitrary, shell, root
advisories | CVE-2022-3569
SHA-256 | 60ec0dcab5b58dbebac7ed6c99c5cf1fb52f76e5b1a5f3723089e823fc252948
Bitbucket Git Command Injection
Posted Sep 22, 2022
Authored by Ron Bowes, Shelby Pace, Jang, TheGrandPew | Site metasploit.com

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.

tags | exploit, arbitrary
advisories | CVE-2022-36804
SHA-256 | b243d8611790a90b192551fc326eb12be22c5ca700eb91be1d60e366f9f665cb
Zimbra Zip Path Traversal
Posted Aug 24, 2022
Authored by Ron Bowes, Volexity Threat Research, Yang_99s Nest | Site metasploit.com

This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.

tags | exploit, web, arbitrary
advisories | CVE-2022-27925, CVE-2022-37042
SHA-256 | d58f4c7d7dbb0ee3b34e5a5a98ecaa59aa1118d324973a875b3ee85a53d569d4
Zimbra zmslapd Privilege Escalation
Posted Aug 10, 2022
Authored by Ron Bowes, Darren Martyn | Site metasploit.com

This Metasploit module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.

tags | exploit, arbitrary, root
advisories | CVE-2022-37393
SHA-256 | 1f2fa01d64e190544e661f442158ebf1f08cb719c08299334a3fc484cc386cd2
ManageEngine ADAudit Plus Path Traversal / XML Injection
Posted Aug 8, 2022
Authored by Ron Bowes, Naveen Sunkavally | Site metasploit.com

This Metasploit module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060. They include a path traversal in the /cewolf endpoint along with a blind XML external entity injection vulnerability to upload and execute a file.

tags | exploit, vulnerability
advisories | CVE-2022-28219
SHA-256 | 19ca84f8e53083cacedb632dc26e16f78047ee8e6573a717d22be7336e613cdb
Zimbra UnRAR Path Traversal
Posted Aug 5, 2022
Authored by Ron Bowes, Simon Scannell | Site metasploit.com

This Metasploit module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on Zimbra Collaboration versions 9.0.0 Patch 24 and below and 8.8.15 Patch 31 and below provided that UnRAR versions 6.11 or below are installed.

tags | exploit, web, arbitrary
systems | linux
advisories | CVE-2022-30333
SHA-256 | ca0f5b8e2038241415fba603b901534752f2529d4c8d1c1134f97e76d1935fef
F5 BIG-IP iControl Remote Code Execution
Posted May 12, 2022
Authored by Alt3kx, Ron Bowes, Heyder Andrade, James Horseman | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.

tags | exploit, remote, root, code execution, bash, bypass
advisories | CVE-2022-1388
SHA-256 | bb3a5bef34f53053f0da7eec9cad038bc4f47a0997b2e9cd601a17a1f034a0ad
Microsoft IIS 6.0 WebDAV Bypass
Posted May 21, 2009
Authored by Andrew Orr, Ron Bowes | Site skullsecurity.org

Remote authentication bypass exploit for the WebDAV vulnerability in Microsoft IIS 6.0.

tags | exploit, remote, bypass
SHA-256 | 58794bad254c95a52a4aff02ec52eb753d9e24ebc75be5de3d39aa371b956db2
Page 1 of 1
Back1Next

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close