This Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.
23552b23e1cc0e2022181944f8894c8f7203e6893e7d1127561c3ffd867b9517
GitLab version 13.10.2 remote code execution exploit that provides a reverse shell.
a3816f4a73b68abc9aa497e0982428e2bde3d7b0a005094907ca8484d9f39f60
SonicWall SMA version 10.2.1.0-17sv suffers from a remote password reset vulnerability.
1d7256a24120e085899614766e31ffce8d24fab7f97df961712c94b274e8994d
Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenticated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\<driver name>\Universal Color Laser.gdl to replace the DLL path to unires.dll with a malicious DLL path. When C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs is then used to add the printer to the affected system, PrintIsolationHost.exe, a Windows process running as NT AUTHORITY\SYSTEM, will inspect the C:\ProgramData\<driver name>\Universal Color Laser.gdl file and will load the malicious DLL from the path specified in the file. This which will result in the malicious DLL executing as NT AUTHORITY\SYSTEM. Once this module is finished, it will use the prnmngr.vbs script to remove the printer it added.
db241e26cf8e485cbeaa7d359e18c68f4083f5cbe8615e284394323a682200d8
Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll with a malicious DLL at the right time whilst running the C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program, which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation will grant attackers code execution as the NT AUTHORITY\SYSTEM user. This Metasploit module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.
cba47a2c22f1ca9d11622a05f5196ad5f0cf5055087f98e8880fbd03d3be995d
Cisco IP Phone version 11.7 denial of service proof of concept exploit.
91023709bd06cb09c03533c7926183d762565f1ac3417ed227ca0ea133cc7045
Amcrest Dahua NVR Camera IP2M-841 denial of service proof of concept exploit.
b6300eb6dc0f7f07a90363c157630dcfcdcbf7b6e70a052d91c4c38aa8ce95ae
Grandstream UCM6200 Series CTI Interface versions 1.0.20.20 and below suffer from a remote SQL injection vulnerability.
fcf24eefeddb201c346536166ab265e01a1416b56845436fbce588e35ef4d37b
Grandstream UCM6200 Series WebSocket versions 1.0.20.20 and below suffer from a remote SQL injection vulnerability.
dbde0cbce4402b656e10575e77f62e63150d1c5371532197da758fe2d6e3a6a0
UCM6202 version 1.0.18.13 suffers from a remote command injection vulnerability.
e44ddf6cc3933c936f1c38067b878120ae2306e3195079e894790e916bce59f5
This Metasploit module exploits an unauthenticated remote command injection vulnerability found in Barco WePresent and related OEM'ed products. The vulnerability is triggered via an HTTP POST request to the file_transfer.cgi endpoint.
30e838ce81c07ffc6eb59ae667a49dfa96e48b0d99660dc1f80dedd7f8c19b0b
MikroTik RouterOS version 6.45.6 DNS cache poisoning exploit.
a383237105abf2d8cd196092df38ab74a7bb21e90a231ec004bccdee62539d22
Amcrest Cameras version 2.520.AC00.18.R suffers from an authentication bypass vulnerability allowing an attacker to retrieve audio streams.
34cf3ecd349123700d9ee80c886a5fee2647aec2c36415ca9f6b58690d283c65
Barco/AWIND OEM presentation platform suffers from an unauthenticated command injection vulnerability. Products affected include Crestron AM-100 1.6.0.2, Crestron AM-101 2.7.0.1, Barco wePresent WiPG-1000P 2.3.0.10, Barco wePresent WiPG-1600W before 2.4.1.19, Extron ShareLink 200/250 2.0.3.4, Teq AV IT WIPS710 1.1.0.7, InFocus LiteShow3 1.0.16, InFocus LiteShow4 2.0.0.7, Optoma WPS-Pro 1.0.0.5, Blackbox HD WPS 1.0.0.5, and SHARP PN-L703WA 1.4.2.3.
07b81e3cae3917d99f37f08436aa15f487678be25518d0efca86b85ce630d94b
QNAP Netatalk versions prior to 3.1.12 suffer from an authentication bypass vulnerability.
8726f3f9ab38929e4a013f5be7d72ab568578d6f058e4d2bc011093bdde53d91
An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (sun.rmi.server.UnicastRef) to the interface to execute code on vulnerable hosts.
7689bd250f236540a89962c75e10662698d550e3295c7ffa517147b01022d81f
An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (weblogic.corba.utils.MarshalledObject) to the interface to execute code on vulnerable hosts.
34887ed78f437dc71b9a27e469d90d560f20f0a52702a9df664219aa2a18b0f2
MikroTik RouterOS versions prior to 6.43.12 (stable) and 6.42.12 (long-term) firewall and NAT bypass exploit.
76d8b41f9f478dd81cf50cfdd51f6592ff6a23a044fbd5ad0d719cc3c7cef3ac
Indusoft Web Studio version 8.1 SP2 suffers from a remote code execution vulnerability.
172f1b393e16e90073a60eec389b5293b0c2c8c938d22107e508e058a1be074b
Netatalk versions prior to 3.1.12 suffer from an authentication bypass vulnerability.
51cc419b02f4835a42ebe3c7b66a61c51ecb13389b696f0f310e6231976a1021
Mikrotik RouterOS versions 6.x suffer from a remote root code execution vulnerability.
3f8c52b062ca67ece824e00c875d47df8ead0831abf8803a9a4a87310336aa60
NUUO NVRMini2 version 3.8 cgi_system buffer overflow exploit.
2b0345e406aa5762d5b5e8b4a9fd8928fea8a9d53b01a3a7edc11adbd2ae76a5
This Metasploit module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. A large amount of printers are impacted.
6d49ac5c1a048f446f5501a2e5655bb13c4c90e6dff4cd28f9778208c5d72b62
HP PageWide and OfficeJet Pro printers suffer from an arbitrary code execution vulnerability.
91426efc1ea9b5567578ab07e24060f0e45244531fccf1964663513d66da7575
Apache OpenMeetings version 3.1.0 is vulnerable to remote code execution via an RMI deserialization attack.
14fd835d407717498ac3649c3d80122d8fe17e038241b3a0f82cdc72ae90739e