This Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.
23552b23e1cc0e2022181944f8894c8f7203e6893e7d1127561c3ffd867b9517GitLab version 13.10.2 remote code execution exploit that provides a reverse shell.
a3816f4a73b68abc9aa497e0982428e2bde3d7b0a005094907ca8484d9f39f60SonicWall SMA version 10.2.1.0-17sv suffers from a remote password reset vulnerability.
1d7256a24120e085899614766e31ffce8d24fab7f97df961712c94b274e8994dVarious Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenticated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\<driver name>\Universal Color Laser.gdl to replace the DLL path to unires.dll with a malicious DLL path. When C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs is then used to add the printer to the affected system, PrintIsolationHost.exe, a Windows process running as NT AUTHORITY\SYSTEM, will inspect the C:\ProgramData\<driver name>\Universal Color Laser.gdl file and will load the malicious DLL from the path specified in the file. This which will result in the malicious DLL executing as NT AUTHORITY\SYSTEM. Once this module is finished, it will use the prnmngr.vbs script to remove the printer it added.
db241e26cf8e485cbeaa7d359e18c68f4083f5cbe8615e284394323a682200d8Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll with a malicious DLL at the right time whilst running the C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program, which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation will grant attackers code execution as the NT AUTHORITY\SYSTEM user. This Metasploit module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.
cba47a2c22f1ca9d11622a05f5196ad5f0cf5055087f98e8880fbd03d3be995dCisco IP Phone version 11.7 denial of service proof of concept exploit.
91023709bd06cb09c03533c7926183d762565f1ac3417ed227ca0ea133cc7045Amcrest Dahua NVR Camera IP2M-841 denial of service proof of concept exploit.
b6300eb6dc0f7f07a90363c157630dcfcdcbf7b6e70a052d91c4c38aa8ce95aeGrandstream UCM6200 Series CTI Interface versions 1.0.20.20 and below suffer from a remote SQL injection vulnerability.
fcf24eefeddb201c346536166ab265e01a1416b56845436fbce588e35ef4d37bGrandstream UCM6200 Series WebSocket versions 1.0.20.20 and below suffer from a remote SQL injection vulnerability.
dbde0cbce4402b656e10575e77f62e63150d1c5371532197da758fe2d6e3a6a0UCM6202 version 1.0.18.13 suffers from a remote command injection vulnerability.
e44ddf6cc3933c936f1c38067b878120ae2306e3195079e894790e916bce59f5This Metasploit module exploits an unauthenticated remote command injection vulnerability found in Barco WePresent and related OEM'ed products. The vulnerability is triggered via an HTTP POST request to the file_transfer.cgi endpoint.
30e838ce81c07ffc6eb59ae667a49dfa96e48b0d99660dc1f80dedd7f8c19b0bMikroTik RouterOS version 6.45.6 DNS cache poisoning exploit.
a383237105abf2d8cd196092df38ab74a7bb21e90a231ec004bccdee62539d22Amcrest Cameras version 2.520.AC00.18.R suffers from an authentication bypass vulnerability allowing an attacker to retrieve audio streams.
34cf3ecd349123700d9ee80c886a5fee2647aec2c36415ca9f6b58690d283c65Barco/AWIND OEM presentation platform suffers from an unauthenticated command injection vulnerability. Products affected include Crestron AM-100 1.6.0.2, Crestron AM-101 2.7.0.1, Barco wePresent WiPG-1000P 2.3.0.10, Barco wePresent WiPG-1600W before 2.4.1.19, Extron ShareLink 200/250 2.0.3.4, Teq AV IT WIPS710 1.1.0.7, InFocus LiteShow3 1.0.16, InFocus LiteShow4 2.0.0.7, Optoma WPS-Pro 1.0.0.5, Blackbox HD WPS 1.0.0.5, and SHARP PN-L703WA 1.4.2.3.
07b81e3cae3917d99f37f08436aa15f487678be25518d0efca86b85ce630d94bQNAP Netatalk versions prior to 3.1.12 suffer from an authentication bypass vulnerability.
8726f3f9ab38929e4a013f5be7d72ab568578d6f058e4d2bc011093bdde53d91An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (sun.rmi.server.UnicastRef) to the interface to execute code on vulnerable hosts.
7689bd250f236540a89962c75e10662698d550e3295c7ffa517147b01022d81fAn unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (weblogic.corba.utils.MarshalledObject) to the interface to execute code on vulnerable hosts.
34887ed78f437dc71b9a27e469d90d560f20f0a52702a9df664219aa2a18b0f2MikroTik RouterOS versions prior to 6.43.12 (stable) and 6.42.12 (long-term) firewall and NAT bypass exploit.
76d8b41f9f478dd81cf50cfdd51f6592ff6a23a044fbd5ad0d719cc3c7cef3acIndusoft Web Studio version 8.1 SP2 suffers from a remote code execution vulnerability.
172f1b393e16e90073a60eec389b5293b0c2c8c938d22107e508e058a1be074bNetatalk versions prior to 3.1.12 suffer from an authentication bypass vulnerability.
51cc419b02f4835a42ebe3c7b66a61c51ecb13389b696f0f310e6231976a1021Mikrotik RouterOS versions 6.x suffer from a remote root code execution vulnerability.
3f8c52b062ca67ece824e00c875d47df8ead0831abf8803a9a4a87310336aa60NUUO NVRMini2 version 3.8 cgi_system buffer overflow exploit.
2b0345e406aa5762d5b5e8b4a9fd8928fea8a9d53b01a3a7edc11adbd2ae76a5This Metasploit module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. A large amount of printers are impacted.
6d49ac5c1a048f446f5501a2e5655bb13c4c90e6dff4cd28f9778208c5d72b62HP PageWide and OfficeJet Pro printers suffer from an arbitrary code execution vulnerability.
91426efc1ea9b5567578ab07e24060f0e45244531fccf1964663513d66da7575Apache OpenMeetings version 3.1.0 is vulnerable to remote code execution via an RMI deserialization attack.
14fd835d407717498ac3649c3d80122d8fe17e038241b3a0f82cdc72ae90739e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed