This Metasploit module exploits an authentication bypass in libssh server code where a USERAUTH_SUCCESS message is sent in place of the expected USERAUTH_REQUEST message. libssh versions 0.6.0 through 0.7.5 and 0.8.0 through 0.8.3 are vulnerable. Note that this modules success depends on whether the server code can trigger the correct (shell/exec) callbacks despite only the state machines authenticated state being set. Therefore, you may or may not get a shell if the server requires additional code paths to be followed.
cde91faaf9388b718ce891cfb99941d6d0d6c0ea49e71e81ac203c8bf86be937This Metasploit module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV.
1ffbd9886232ee7c1bbcfa4f8a71da9745e371936b0cb186036866d08b29bde5This Metasploit module scans for the Fortinet SSH backdoor.
29ba52cc385c46ba1a14c7c07c3609f6bc5abc288cf151e9e78dc8cd16d6f6acThis Metasploit module exploits a content injection vulnerability in WordPress versions 4.7 and 4.7.1 via type juggling in the REST API.
35efc2914bc816e6b091647b7b6913097ac344b4c170ed5b0155d5c2b448d658This Metasploit module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This Metasploit module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your CMD, set ExitOnSession false, run -j, and then run this module to create sessions on vulnerable hosts. Note that this is not the recommended method for obtaining shells. If you require sessions, please use the apache_mod_cgi_bash_env_exec exploit module instead.
87c833264ee49ea156b8462740c64928a943a3c37c5f3d9c388659dfaa1d03a0This Metasploit module will extract the passwords from address books on various Canon IR-Adv mfp devices. Tested models: iR-ADV C2030, iR-ADV 4045, iR-ADV C5030, iR-ADV C5235, iR-ADV C5240, iR-ADV 6055, iR-ADV C7065.
0582d21326a0606af41d486725288c35c4b40bd3a60ff4db829c637166baa8e6This Metasploit module detects VxWorks and the IPnet IP stack, along with devices vulnerable to CVE-2019-12258.
6f4e528ea0cb7372e3bdf497488748f966e28e300b72e0d74701650b47070ef8This Metasploit module exploits an unauthenticated remote file inclusion which exists in Supra Smart Cloud TV. The media control for the device doesnt have any session management or authentication. Leveraging this, an attacker on the local network can send a crafted request to broadcast a fake video.
4f628334a1d4a905d86ed3e418a091bc45e99144a8e83f1ac6d4d534bdfe0adfThis Metasploit module bypasses LDAP authentication in VMware vCenter Servers vmdir service to add an arbitrary administrator user. Version 6.7 prior to the 6.7U3f update is vulnerable, only if upgraded from a previous release line, such as 6.0 or 6.5. Note that it is also possible to provide a bind username and password to authenticate if the target is not vulnerable. It will add an arbitrary administrator user the same way.
7a7fd73d7bbbeb14f0c845a71c89c324bdb28e63ab5cdecf8020da8a44a15e8aThis Metasploit module discloses the NIS domain name from bootparamd. You must know a client address from the targets bootparams file. Hint: try hosts within the same network range as the target.
032207ea0aee88f1156d7b493201d4bf12041304c67f91dbb7c1df8fec2f8448This Metasploit module uses an anonymous-bind LDAP connection to dump data from the vmdir service in VMware vCenter Server version 6.7 prior to the 6.7U3f update, only if upgraded from a previous release line, such as 6.0 or 6.5. If the bind username and password are provided (BIND_DN and BIND_PW options), these credentials will be used instead of attempting an anonymous bind.
f9159afd722a0024de174ba2c1275242941f2daf990c180faba72bd933c96c0bThis Metasploit module exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory via an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace. A binary search is performed to find the correct offset for the BOFs. Since the server forks, blind remote exploitation is possible, provided the heap does not have ASLR.
95c0e11fc546ab62299c2204c0f7af71c9e0fb6c816a661a92afe279a76f00e3This Metasploit module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the "Automatic" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the "DSIG" browser cookie to a valid session ID. For the "Manual" action, please specify a file to dump via the "FILE" option. /etc/passwd will be dumped by default. If the "PRINT" option is set, file contents will be printed to the screen, with any unprintable characters replaced by a period. Please see related module exploit/linux/http/pulse_secure_cmd_exec for a post-auth exploit that can leverage the results from this module.
9434228fa1dc2af2393abd6886ea6161415b95086765f63406754e8064f448e0This Metasploit module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt masters ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhubs Docker image.
9922c0377155419e922dea1399b39d3294fb61f540d20cfa4ae9f6df4566e2ceThis Metasploit module sends a malformed TKEY query, which exploits an error in handling TKEY queries on affected BIND9 named DNS servers. As a result, a vulnerable named server will exit with a REQUIRE assertion failure. This condition can be exploited in versions of BIND between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0 through 9.10.2-P2.
1dd13b33ea021a682e97faa07baead4833823e473a61eb1e0ca390a8734fb5d8This Metasploit module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell (TMSH). The escape may not be reliable, and you may have to run the exploit multiple times. Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2, 15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4. Tested against the VMware OVA release of 14.1.2.
9f3da84fe52bba475dcd0252ca14c6e0af76dd98df5d1edaaccc7c9a737db2bbThis Metasploit module exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) vulnerability in VMware Workspace ONE Access, to execute shell commands as the horizon user.
bf4114fce190a8b9bc1f2bfc2013620b04b05e7030c7cc59f3d685b8db2038b1This Metasploit module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
7bdab9b3101da4ba2df8ff1f6a558171e4d8a503d4d44bcbaf0347587fa69a4dThis Metasploit module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build.
244ae2538bc9ec8f90e308561999a95ddf997764203cb31dbd2e32b039b73273This Metasploit module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.
258a080b77eaface80577b4886f47493eafef016bf16d63a1567107d6f5b76cdThis Metasploit module exploits an SID-based command injection in Sophos UTM's WebAdmin interface to execute shell commands as the root user.
e60408784254ddfee031c720b657d15c09df5d27e903311833f4a7f181588725By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).
fdef0aef0e912b6be1749a8d91235a8ce5f95d8c64ee36efaa66917951a81206This Metasploit module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.
036b2591e4ef8beb3558c821f06ea5bf7c27f8226edd7019163d2a719de158acThis Metasploit module exploits an OGNL injection in Atlassian Confluence's WebWork component to execute commands as the Tomcat user.
78b308738c153a19545165ba47b4b15d6c0473eedcb99a8170d7a8e03183480aThis Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.
b555cd3b9862ec567195ff3003e6dc453483630a7c663ee17d582778c11dbf59
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed