exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 9 of 9 RSS Feed

Files from Orange Tsai

First Active2013-09-09
Last Active2022-05-02
WSO Arbitrary File Upload / Remote Code Execution
Posted May 2, 2022
Authored by Orange Tsai, wvu, hakivvi, Jack Heysel | Site metasploit.com

This Metasploit module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.

tags | exploit, remote, code execution, file upload
advisories | CVE-2022-29464
SHA-256 | 7bdab9b3101da4ba2df8ff1f6a558171e4d8a503d4d44bcbaf0347587fa69a4d
Jenkins Remote Code Execution
Posted Apr 20, 2022
Authored by Orange Tsai | Site github.com

Jenkins exploit that chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution. Jenkins versions below 2.138 are affected.

tags | exploit, remote, code execution
advisories | CVE-2018-1000861, CVE-2019-1003005, CVE-2019-1003029
SHA-256 | 88ba245224ecb5e377bcb871672d6537579b9aeac8cedbca083b7f571fa1faea
Samba VFS Heap Out-Of-Bounds Read / Write
Posted Feb 2, 2022
Authored by Orange Tsai | Site samba.org

All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.

tags | advisory, remote, arbitrary, root
advisories | CVE-2021-44142
SHA-256 | 6ba7846654bf7c08a244dc803a03a08db25b7266912db0c581e64adf257781a6
Microsoft Exchange ProxyShell Remote Code Execution
Posted Aug 20, 2021
Authored by Spencer McIntyre, Orange Tsai, wvu, Ramella Sebastien, Jang, PeterJson, brandonshi123 | Site metasploit.com

This Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2021-31207, CVE-2021-34473, CVE-2021-34523
SHA-256 | b555cd3b9862ec567195ff3003e6dc453483630a7c663ee17d582778c11dbf59
Microsoft Exchange ProxyLogon Remote Code Execution
Posted Mar 23, 2021
Authored by Orange Tsai, mekhalleh, Jang, lotusdll | Site metasploit.com

This Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 Versions less than 15.00.1497.012, Exchange 2016 CU18 less than 15.01.2106.013, Exchange 2016 CU19 less than 15.01.2176.009, Exchange 2019 CU7 less than 15.02.0721.013, and Exchange 2019 CU8 less than 15.02.0792.010. All components are vulnerable by default.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2021-26855, CVE-2021-27065
SHA-256 | 8d10a6f462db1c384d95aaac3ccd5096fe1f2900acfdd10d4d8f6104dd67ec68
MobileIron MDM Hessian-Based Java Deserialization Remote Code Execution
Posted Jan 25, 2021
Authored by Orange Tsai, wvu, iamnoooob, rootxharsh | Site metasploit.com

This Metasploit module exploits an ACL bypass in MobileIron MDM products to execute a Groovy gadget against a Hessian-based Java deserialization endpoint.

tags | exploit, java
advisories | CVE-2020-15505
SHA-256 | 5c0db542beea98b42c60393d60ff136e823dca9b8c1933fb194541ebcc3d1e48
Pulse Secure VPN Arbitrary Command Execution
Posted Nov 12, 2019
Authored by Orange Tsai, wvu, Meh Chang | Site metasploit.com

This Metasploit module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF.

tags | exploit, arbitrary, root
advisories | CVE-2019-11539
SHA-256 | 6674132172219a30d7cdc8c399117a3d4c424e9e997b7824e6b1a2c5163f1072
Jenkins ACL Bypass / Metaprogramming Remote Code Execution
Posted Mar 19, 2019
Authored by Orange Tsai, wvu | Site metasploit.com

This Metasploit module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file. The ACL bypass gadget is specific to Jenkins versions 2.137 and below and will not work on later versions of Jenkins. Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.

tags | exploit
advisories | CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002
SHA-256 | 1fa7a0581a082a2a0c1e14681f05b88994d45c7f8daeb7fbed7b6dacc77b9a72
MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
Posted Sep 9, 2013
Authored by Peter Vreugdenhil, sinn3r, Orange Tsai | Site metasploit.com

In IE8 standards mode, it's possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement's outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it's trying to make a call to the object's SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user. This bug is specific to Internet Explorer 8 only. It was originally discovered by Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update.

tags | exploit, arbitrary, code execution
SHA-256 | 1c003b48b2f0c41a3c3ef91938ebd714d766a2510222a8c5b84652445ec8f591
Page 1 of 1
Back1Next

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close