Exploit the possiblities
Showing 1 - 15 of 15 RSS Feed

Files from wvu

First Active2013-10-30
Last Active2017-11-03
tnftp "savefile" Arbitrary Command Execution
Posted Nov 3, 2017
Authored by wvu, Jared McNeill | Site metasploit.com

This Metasploit module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function.

tags | exploit, arbitrary
advisories | CVE-2014-8517
MD5 | b5f59581708e95b46c762d98b3d487b8
Apache Struts 2 REST Plugin XStream Remote Code Execution
Posted Sep 7, 2017
Authored by wvu, Man Yue Mo | Site metasploit.com

Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a Java deserialization attack in the XStream library.

tags | exploit, java
advisories | CVE-2017-9805
MD5 | 6a456689db4d683f7253fa4ce925f95c
WordPress PHPMailer Host Header Command Injection
Posted May 17, 2017
Authored by Dawid Golunski, wvu | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered Host header, exploitation is limited to the default virtual host, assuming the header isn't mangled in transit. If the target is running Apache 2.2.32 or 2.4.24 and later, the server may have HttpProtocolOptions set to Strict, preventing a Host header containing parens from passing through, making exploitation unlikely.

tags | exploit, spoof
advisories | CVE-2016-10033
MD5 | 79e346c62995359fee5570ce7b675572
Nagios XI Chained Remote Code Execution
Posted Jul 6, 2016
Authored by wvu, Francesco Oddo | Site metasploit.com

This Metasploit module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in Nagios XI <= 5.2.7 to pop a root shell.

tags | exploit, shell, root, sql injection, file upload
MD5 | f70bea86a23da44db72654aedbe0c274
Apache Continuum 1.4.2 Arbitrary Command Execution
Posted Jun 13, 2016
Authored by wvu, David Shanahan | Site metasploit.com

This Metasploit module exploits a command injection in Apache Continuum versions 1.4.2 and below. By injecting a command into the installation.varValue POST parameter to /continuum/saveInstallation.action, a shell can be spawned.

tags | exploit, shell
MD5 | 57fb6824280b02f68c4b6e7804594bda
Oracle ATS Arbitrary File Upload
Posted May 24, 2016
Authored by wvu, Zhou Yu | Site metasploit.com

This Metasploit module exploits an authentication bypass and arbitrary file upload in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and unknown earlier versions, to upload and execute a JSP shell.

tags | exploit, arbitrary, shell, file upload
MD5 | 70475f3d47267994bd9b861afc21614b
Ubiquiti airOS Arbitrary File Upload
Posted May 24, 2016
Authored by wvu, 93c08539 | Site metasploit.com

This Metasploit module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true. This method is used by the "mf" malware infecting these devices.

tags | exploit, root, file upload
MD5 | e267290a4d5fe45ab492cc0d0ab34602
ImageMagick Delegate Arbitrary Command Execution
Posted May 6, 2016
Authored by wvu, Nikolay Ermishkin, hdm, stewie | Site metasploit.com

This Metasploit module exploits a shell command injection in the way "delegates" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. Tested on Linux, BSD, and OS X. You'll want to choose your payload carefully due to portability concerns. Use cmd/unix/generic if need be.

tags | exploit, shell
systems | linux, unix, bsd, apple, osx
MD5 | 673c4b90719c9b8a377e4c72d8396c29
Exim perl_startup Privilege Escalation
Posted Apr 14, 2016
Authored by Dawid Golunski, wvu | Site metasploit.com

This Metasploit module exploits a Perl injection vulnerability in Exim versions prior to 4.86.2 given the presence of the "perl_startup" configuration parameter.

tags | exploit, perl
MD5 | 1b3e86403723d9ae893f6c3110bbd0c2
Apache Jetspeed Arbitrary File Upload
Posted Mar 31, 2016
Authored by wvu, Andreas Lindh | Site metasploit.com

This Metasploit module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file upload clobbered the web interface beyond repair. No workaround has been found yet. Use this module at your own risk. No check will be implemented.

tags | exploit, web, shell, file upload
advisories | CVE-2016-0709, CVE-2016-0710
MD5 | 55991d9f8e870de6ba19c6811c89f66b
Mac OS X "tpwn" Privilege Escalation
Posted Aug 18, 2015
Authored by wvu, qwertyoruiop | Site metasploit.com

This Metasploit module exploits a null pointer dereference in XNU to escalate privileges to root. Tested on 10.10.4 and 10.10.5.

tags | exploit, root
MD5 | 6e8c73f8110ba4d80f3c15a6a4ea2f78
Mac OS X Rootpipe Privilege Escalation
Posted Apr 10, 2015
Authored by joev, wvu, Emil Kvarnhammar | Site metasploit.com

This Metasploit module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed Rootpipe. Tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.

tags | exploit, root
systems | apple, osx
advisories | CVE-2015-1130
MD5 | d58bceb05b3e631e2ed1aa2d3f0b76f8
Apache mod_cgi Bash Environment Variable Code Injection
Posted Sep 26, 2014
Authored by juan vazquez, wvu, Stephane Chazelas | Site metasploit.com

This Metasploit module exploits a code injection in specially crafted environment variables in Bash, specifically targeting Apache mod_cgi scripts through the HTTP_USER_AGENT variable.

tags | exploit, bash
advisories | CVE-2014-6271
MD5 | d996eb7acb549980a06d280bfa62f920
OpenSSL Heartbeat (Heartbleed) Information Leak
Posted Apr 10, 2014
Authored by Neel Mehta, juan vazquez, Christian Mehlmauer, wvu, Jared Stafford, Matti, Riku, Antti, FiloSottile | Site metasploit.com

This Metasploit module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.

tags | exploit
advisories | CVE-2014-0160
MD5 | 5e21c0cfcfe3a4db2ab5cf1b792b201d
Beetel Connection Manager NetConfig.ini Buffer Overflow
Posted Oct 30, 2013
Authored by metacom, wvu | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow on Beetel Connection Manager. The vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP SP3 and Windows 7 SP1.b.

tags | exploit, overflow
systems | windows, xp, 7
MD5 | 5eee60d18123b1614e05de36dca9f2aa
Page 1 of 1
Back1Next

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close