This Metasploit module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0 to download files from the affected host. A valid file path is needed to download a file. Fortunately, Ulterius indexes every file on the system, which can be stored in the following location: http://ulteriusURL:port/.../fileIndex.db. This Metasploit module can download and parse the fileIndex.db file. There is also an option to download a file using a provided path.
cd70f22598142588606027c73868f1ac64b24271fab3bf802b0942f783735576
This Metasploit modules exploits unauthenticated REST API requests in GitStack through v2.3.10. The module supports requests for listing users of the application and listing available repositories. Additionally, the module can create a user and add the user to the applications repositories. This Metasploit module has been tested against GitStack v2.3.10.
9c42f5f230d90c174810268b0beac5ce6dae1160eced3fca962ef937bce0e330
This Metasploit module retrieves masthead, site, and available package information from IBM BigFix Relay Servers.
0b7bd2a7349296cdb8ba1a119f5620f2d6426c6e3d15107e524b74a942e1630b
This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant.
cf5398db6da1a49ffbf7822090a6afa83e60a3b163c1dbfa4962e518d4e655f6
This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant.
28ae33e9b8acc6b5e5cf2cd7d546782a77c489178bc2073d4ed3ffe0a56a2291
An elevation of privilege vulnerability exists in Microsoft Windows when the Win32k component fails to properly handle objects in memory. This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This Metasploit module is tested against Windows 10 v1703 x86.
b12d041b74805140215567e34bac24168770da5ed39aeeca4562c66332b7d517
This Metasploit module exploits an XML external entity vulnerability and a server side request forgery to get unauthenticated code execution on Zimbra Collaboration Suite. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP password for the zimbra account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a server side request forgery in the Proxy Servlet is used to proxy an AuthRequest with the zimbra credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the Client Upload servlet is used to upload a JSP webshell that can be triggered from the web server to get command execution on the host. The issues reportedly affect Zimbra Collaboration Suite v8.5 to v8.7.11. This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64 UBUNTU16_64 FOSS edition.
811a4794f58646f39b0ef372b6e8f37324c45d3730bba6e1b7ae12049671f517
On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to .job files located in c:\windows\tasks because the scheduler does not use impersonation when checking this location. Since users can create files in the c:\windows\tasks folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file. WARNING: The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host will be overwritten when the exploit runs. This Metasploit module has been tested against Windows 10 Pro x64.
c95cd7c1a2ed4a550a27c66b7fcad45a1a61d5951227bc43830a853f611b7cd1
Foxit PDF Reader version 9.0.1.1049 has a use-after-free vulnerability in the Text Annotations component and the TypedArray's use uninitialized pointers. The vulnerabilities can be combined to leak a vtable memory address, which can be adjusted to point to the base address of the executable. A ROP chain can be constructed that will execute when Foxit Reader performs the UAF.
328a4999829d5eb3b12ffaeb666a27977fb72410e1a96f44c840761020615f82
An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object to the interface to execute code on vulnerable hosts.
3b706831a95e7ec9767cb60c343331abe8d92f1382ece3a3f50c5943e25d0275
This Metasploit module exploits an authentication bypass in .srv functionality and a command injection in parhand to execute code as the root user.
c10f9b22f833b812b5b5320ea587dedf77fe8a60a4a58ddec5548a2ea5fb202d
CMS Made Simple version 2.2.5 allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory.
665002696e6aa2586a51b8816a8a1e2a503f1bc489989a9294e0d3632c5224f2
phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which can be exploited post-authentication to execute PHP code by application. The module has been tested with phpMyAdmin v4.8.1.
dae18ef3348cf3077fd1fd7c0054e8bcb0185fb7e809a95ee03722cd6aacb0d5
This Metasploit module exploits a remote code execution vulnerability that exists in GitStack versions through 2.3.10, caused by an unsanitized argument being passed to an exec function call. This Metasploit module has been tested on GitStack version 2.3.10.
cab234e294c5341ce9967a663c67c38cbd0d00a9c7657d94c2711d9cf5ea275f