exploit the possibilities
Showing 1 - 9 of 9 RSS Feed

Files from Markus Wulftange

First Active2013-06-22
Last Active2021-01-07
H2 Database 1.4.199 JNI Code Execution
Posted Jan 7, 2021
Authored by Markus Wulftange, 1F98D

H2 Database version 1.4.199 JNI code execution exploit. This exploit utilizes the Java Native Interface to load a a Java class without needing to use the Java Compiler.

tags | exploit, java, code execution
MD5 | 7ea784920011613c761867cc57ddb434
Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization
Posted Oct 20, 2020
Authored by Spencer McIntyre, Oleksandr Mirosh, Markus Wulftange, Alvaro Munoz, Paul Taylor, Caleb Gross, straightblast | Site metasploit.com

This Metasploit module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. 2020.3.915).

tags | exploit, asp
advisories | CVE-2017-11317, CVE-2019-18935
MD5 | 1681e42767479128abf9e29c90cc76ef
Liferay Portal Java Unmarshalling Remote Code Execution
Posted Apr 15, 2020
Authored by Markus Wulftange, wvu, Thomas Etrillard | Site metasploit.com

This Metasploit module exploits a Java unmarshalling vulnerability via JSONWS in Liferay Portal versions prior to 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.

tags | exploit, java
advisories | CVE-2020-7961
MD5 | a3748995cc709b3443e82aaf46013802
Telerik UI Remote Code Execution
Posted Dec 18, 2019
Authored by Markus Wulftange, Paul Taylor, Bishop Fox | Site know.bishopfox.com

The Telerik UI for ASP.NET AJAX insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the software's underlying host.

tags | exploit, remote, arbitrary, code execution, asp
advisories | CVE-2019-18935
MD5 | 725661dfbd6f55841367cc547d0ba030
Bomgar Remote Support Unauthenticated Code Execution
Posted Jun 15, 2016
Authored by Markus Wulftange | Site metasploit.com

This Metasploit module exploits a vulnerability in the Bomgar Remote Support, which deserializes user provided data using PHP's unserialize method. By providing an specially crafted PHP serialized object, it is possible to write arbitrary data to arbitrary files. This effectively allows the execution of arbitrary PHP code in the context of the Bomgar Remote Support system user. To exploit the vulnerability, a valid Logging Session ID (LSID) is required. It consists of four key-value pairs (i. e., 'h=[...];l=[...];m=[...];t=[...]') and can be retrieved by an unauthenticated user at the end of the process of submitting a new issue via the 'Issue Submission' form. Versions before 15.1.1 are reported to be vulnerable.

tags | exploit, remote, arbitrary, php
advisories | CVE-2015-0935
MD5 | 6967187d9cc044d56dee179d177af71a
Symantec Endpoint Protection Manager Authentication Bypass / Code Execution
Posted Aug 17, 2015
Authored by Brandon Perry, Markus Wulftange | Site metasploit.com

This Metasploit module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities include an authentication bypass, a directory traversal and a privilege escalation to get privileged code execution.

tags | exploit, remote, shell, vulnerability, code execution
advisories | CVE-2015-1486, CVE-2015-1487, CVE-2015-1489
MD5 | 94d61c5829628370b82e3454cfc59b31
Symantec Endpoint Protection 12.1 Bypass / Privilege Escalation / SQL Injection
Posted Aug 1, 2015
Authored by Markus Wulftange

Symantec Endpoint Protection versions 12.1 prior to 12.1 RU6 MP1 suffer from bypass, file write/read, privilege escalation, remote SQL injection, and traversal vulnerabilities.

tags | advisory, remote, vulnerability, sql injection, bypass, file inclusion
advisories | CVE-2015-1492
MD5 | 17f90eab19f2dc644dd32170d8f4eb5e
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
Posted Dec 23, 2013
Authored by Markus Wulftange | Site metasploit.com

This Metasploit module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called SLICEUPLOAD functionality, which can be triggered by an unauthenticated user with a specially crafted HTTP request. This is exploited by this module to append the given commands to /redirect.cgi, which is a regular shell script file, and can be invoked with another HTTP request. Synology reported that the vulnerability has been fixed with versions 4.0-2259, 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.

tags | exploit, web, arbitrary, shell, cgi, root
advisories | CVE-2013-6955
MD5 | c2f7ccadd1aa8e6f7f9ba47191a96fb7
HP System Management Homepage JustGetSNMPQueue Command Injection
Posted Jun 22, 2013
Authored by sinn3r, Markus Wulftange | Site metasploit.com

This Metasploit module exploits a vulnerability found in HP System Management Homepage. By supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), which will be used in a exec() function. This results in arbitrary code execution under the context of SYSTEM. Please note: In order for the exploit to work, the victim must enable the 'tftp' command, which is the case by default for systems such as Windows XP, 2003, etc.

tags | exploit, web, arbitrary, code execution
systems | windows
advisories | CVE-2013-3576, OSVDB-94191
MD5 | 150f2eb8020c60de07a69561bb1fe7a6
Page 1 of 1

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    12 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    17 Files
  • 25
    Jan 25th
    34 Files
  • 26
    Jan 26th
    23 Files
  • 27
    Jan 27th
    24 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By