Twenty Year Anniversary
Showing 1 - 18 of 18 RSS Feed

Files from wvu

First Active2013-10-30
Last Active2018-07-07
HP VAN SDN Controller Root Command Injection
Posted Jul 7, 2018
Authored by Matthew Bergin, wvu | Site

This Metasploit module exploits a hardcoded service token or default credentials in HPE VAN SDN Controller versions and below to execute a payload as root. A root command injection was discovered in the uninstall action's name parameter, obviating the need to use sudo for privilege escalation. If the service token option TOKEN is blank, USERNAME and PASSWORD will be used for authentication. An additional login request will be sent.

tags | exploit, root
MD5 | eec355d89388bd58e1fea9ab22452024
Drupal Drupalgeddon 2 Forms API Property Injection
Posted Apr 26, 2018
Authored by FireFart, wvu, Nixawk, a2u, Jasper Mattsson | Site

This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable.

tags | exploit
advisories | CVE-2018-7600
MD5 | aff887450f5903c1a65d6723f30ba5b0
NETGEAR Magic telnetd Enabler
Posted Mar 4, 2018
Authored by wvu, insanid, Paul Gebheim | Site

This Metasploit module sends a magic packet to a NETGEAR device to enable telnetd. Upon successful connect, a root shell should be presented to the user.

tags | exploit, shell, root
MD5 | a7246c6e4e3c5142a9103cda8aa6e9d7
tnftp "savefile" Arbitrary Command Execution
Posted Nov 3, 2017
Authored by wvu, Jared McNeill | Site

This Metasploit module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function.

tags | exploit, arbitrary
advisories | CVE-2014-8517
MD5 | b5f59581708e95b46c762d98b3d487b8
Apache Struts 2 REST Plugin XStream Remote Code Execution
Posted Sep 7, 2017
Authored by wvu, Man Yue Mo | Site

Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a Java deserialization attack in the XStream library.

tags | exploit, java
advisories | CVE-2017-9805
MD5 | 6a456689db4d683f7253fa4ce925f95c
WordPress PHPMailer Host Header Command Injection
Posted May 17, 2017
Authored by Dawid Golunski, wvu | Site

This Metasploit module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered Host header, exploitation is limited to the default virtual host, assuming the header isn't mangled in transit. If the target is running Apache 2.2.32 or 2.4.24 and later, the server may have HttpProtocolOptions set to Strict, preventing a Host header containing parens from passing through, making exploitation unlikely.

tags | exploit, spoof
advisories | CVE-2016-10033
MD5 | 79e346c62995359fee5570ce7b675572
Nagios XI Chained Remote Code Execution
Posted Jul 6, 2016
Authored by wvu, Francesco Oddo | Site

This Metasploit module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in Nagios XI <= 5.2.7 to pop a root shell.

tags | exploit, shell, root, sql injection, file upload
MD5 | f70bea86a23da44db72654aedbe0c274
Apache Continuum 1.4.2 Arbitrary Command Execution
Posted Jun 13, 2016
Authored by wvu, David Shanahan | Site

This Metasploit module exploits a command injection in Apache Continuum versions 1.4.2 and below. By injecting a command into the installation.varValue POST parameter to /continuum/saveInstallation.action, a shell can be spawned.

tags | exploit, shell
MD5 | 57fb6824280b02f68c4b6e7804594bda
Oracle ATS Arbitrary File Upload
Posted May 24, 2016
Authored by wvu, Zhou Yu | Site

This Metasploit module exploits an authentication bypass and arbitrary file upload in Oracle Application Testing Suite (OATS), version and unknown earlier versions, to upload and execute a JSP shell.

tags | exploit, arbitrary, shell, file upload
MD5 | 70475f3d47267994bd9b861afc21614b
Ubiquiti airOS Arbitrary File Upload
Posted May 24, 2016
Authored by wvu, 93c08539 | Site

This Metasploit module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true. This method is used by the "mf" malware infecting these devices.

tags | exploit, root, file upload
MD5 | e267290a4d5fe45ab492cc0d0ab34602
ImageMagick Delegate Arbitrary Command Execution
Posted May 6, 2016
Authored by wvu, Nikolay Ermishkin, hdm, stewie | Site

This Metasploit module exploits a shell command injection in the way "delegates" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. Tested on Linux, BSD, and OS X. You'll want to choose your payload carefully due to portability concerns. Use cmd/unix/generic if need be.

tags | exploit, shell
systems | linux, unix, bsd, apple, osx
MD5 | 673c4b90719c9b8a377e4c72d8396c29
Exim perl_startup Privilege Escalation
Posted Apr 14, 2016
Authored by Dawid Golunski, wvu | Site

This Metasploit module exploits a Perl injection vulnerability in Exim versions prior to 4.86.2 given the presence of the "perl_startup" configuration parameter.

tags | exploit, perl
MD5 | 1b3e86403723d9ae893f6c3110bbd0c2
Apache Jetspeed Arbitrary File Upload
Posted Mar 31, 2016
Authored by wvu, Andreas Lindh | Site

This Metasploit module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file upload clobbered the web interface beyond repair. No workaround has been found yet. Use this module at your own risk. No check will be implemented.

tags | exploit, web, shell, file upload
advisories | CVE-2016-0709, CVE-2016-0710
MD5 | 55991d9f8e870de6ba19c6811c89f66b
Mac OS X "tpwn" Privilege Escalation
Posted Aug 18, 2015
Authored by wvu, qwertyoruiop | Site

This Metasploit module exploits a null pointer dereference in XNU to escalate privileges to root. Tested on 10.10.4 and 10.10.5.

tags | exploit, root
MD5 | 6e8c73f8110ba4d80f3c15a6a4ea2f78
Mac OS X Rootpipe Privilege Escalation
Posted Apr 10, 2015
Authored by joev, wvu, Emil Kvarnhammar | Site

This Metasploit module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed Rootpipe. Tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.

tags | exploit, root
systems | apple, osx
advisories | CVE-2015-1130
MD5 | d58bceb05b3e631e2ed1aa2d3f0b76f8
Apache mod_cgi Bash Environment Variable Code Injection
Posted Sep 26, 2014
Authored by juan vazquez, wvu, Stephane Chazelas | Site

This Metasploit module exploits a code injection in specially crafted environment variables in Bash, specifically targeting Apache mod_cgi scripts through the HTTP_USER_AGENT variable.

tags | exploit, bash
advisories | CVE-2014-6271
MD5 | d996eb7acb549980a06d280bfa62f920
OpenSSL Heartbeat (Heartbleed) Information Leak
Posted Apr 10, 2014
Authored by Neel Mehta, juan vazquez, Christian Mehlmauer, wvu, Jared Stafford, Matti, Riku, Antti, FiloSottile | Site

This Metasploit module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.

tags | exploit
advisories | CVE-2014-0160
MD5 | 5e21c0cfcfe3a4db2ab5cf1b792b201d
Beetel Connection Manager NetConfig.ini Buffer Overflow
Posted Oct 30, 2013
Authored by metacom, wvu | Site

This Metasploit module exploits a stack-based buffer overflow on Beetel Connection Manager. The vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP SP3 and Windows 7 SP1.b.

tags | exploit, overflow
systems | windows, xp, 7
MD5 | 5eee60d18123b1614e05de36dca9f2aa
Page 1 of 1

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    3 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By