exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 22 of 22 RSS Feed

Files from Shelby Pace

First Active2018-07-02
Last Active2022-09-22
Bitbucket Git Command Injection
Posted Sep 22, 2022
Authored by Ron Bowes, Shelby Pace, Jang, TheGrandPew | Site metasploit.com

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.

tags | exploit, arbitrary
advisories | CVE-2022-36804
SHA-256 | b243d8611790a90b192551fc326eb12be22c5ca700eb91be1d60e366f9f665cb
Advantech iView NetworkServlet Command Injection
Posted Aug 18, 2022
Authored by rgod, Shelby Pace, Y4er | Site metasploit.com

Advantech iView software versions prior to 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backup_file to the mysqldump command. The sanitization functionality only tests for SQL injection attempts and directory traversal, so leveraging the -r and -w mysqldump flags permits exploitation. The command injection vulnerability is used to write a payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.

tags | exploit, remote, code execution, sql injection
advisories | CVE-2022-2143
SHA-256 | 23eb648158fbc4d29b6a4548a4494b101e1715cad07dd93ecd76726409d9069d
Windows SpoolFool Privilege Escalation
Posted Mar 16, 2022
Authored by Shelby Pace, Oliver Lyak | Site metasploit.com

The Windows Print Spooler has a privilege escalation vulnerability that can be leveraged to achieve code execution as SYSTEM. The SpoolDirectory, a configuration setting that holds the path that a printer's spooled jobs are sent to, is writable for all users, and it can be configured via SetPrinterDataEx() provided the caller has the PRINTER_ACCESS_ADMINISTER permission. If the SpoolDirectory path does not exist, it will be created once the print spooler reinitializes. Calling SetPrinterDataEx() with the CopyFiles\ registry key will load the dll passed in as the pData argument, meaning that writing a dll to the SpoolDirectory location can be loaded by the print spooler. Using a directory junction and UNC path for the SpoolDirectory, the exploit writes a payload to C:\Windows\System32\spool\drivers\x64\4 and loads it by calling SetPrinterDataEx(), resulting in code execution as SYSTEM.

tags | exploit, registry, code execution
systems | windows
advisories | CVE-2022-21999
SHA-256 | 3e62199fe39127be4320ed28c4a8d52211edb9c506d1e42a0aba3faef33cb58c
elFinder Archive Command Injection
Posted Sep 15, 2021
Authored by Shelby Pace, Thomas Chauchefoin | Site metasploit.com

elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via its archive functionality. When creating a new zip archive, the name parameter is sanitized with the escapeshellarg() php function and then passed to the zip utility. Despite the sanitization, supplying the -TmTT argument as part of the name parameter is still permitted and enables the execution of arbitrary commands as the www-data user.

tags | exploit, arbitrary, php
advisories | CVE-2021-32682
SHA-256 | eefba941559b0ed45889286a43dda93328d3b84159ce379897131f28b557f0ba
Git LFS Clone Command Execution
Posted Aug 31, 2021
Authored by Shelby Pace, Matheus Tavares, Johannes Schindelin | Site metasploit.com

Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems are vulnerable to remote code execution while cloning a repository. Usage of clean / smudge filters through Git LFS and a case-insensitive file system changes the checkout order of repository files which enables the placement of a Git hook in the .git/hooks directory. By default, this Metasploit module writes a post-checkout script so that the payload will automatically be executed upon checkout of the repository.

tags | exploit, remote, code execution
advisories | CVE-2021-21300
SHA-256 | e98b3afb62859d7020a7dd7d9fa1db727066effb6fcaf6be5eb8fbff19874b9d
Lexmark Driver Privilege Escalation
Posted Aug 12, 2021
Authored by Jacob Baines, Shelby Pace, Grant Willcox | Site metasploit.com

Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenticated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\<driver name>\Universal Color Laser.gdl to replace the DLL path to unires.dll with a malicious DLL path. When C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs is then used to add the printer to the affected system, PrintIsolationHost.exe, a Windows process running as NT AUTHORITY\SYSTEM, will inspect the C:\ProgramData\<driver name>\Universal Color Laser.gdl file and will load the malicious DLL from the path specified in the file. This which will result in the malicious DLL executing as NT AUTHORITY\SYSTEM. Once this module is finished, it will use the prnmngr.vbs script to remove the printer it added.

tags | exploit
systems | windows
advisories | CVE-2021-35449
SHA-256 | db241e26cf8e485cbeaa7d359e18c68f4083f5cbe8615e284394323a682200d8
Canon TR150 Driver 3.71.2.10 Privilege Escalation
Posted Aug 11, 2021
Authored by Jacob Baines, Shelby Pace | Site metasploit.com

Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll with a malicious DLL at the right time whilst running the C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program, which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation will grant attackers code execution as the NT AUTHORITY\SYSTEM user. This Metasploit module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.

tags | exploit, local, code execution
systems | windows
advisories | CVE-2021-38085
SHA-256 | cba47a2c22f1ca9d11622a05f5196ad5f0cf5055087f98e8880fbd03d3be995d
Jenkins 2.56 CLI Deserialization / Code Execution
Posted Sep 22, 2020
Authored by Shelby Pace, SSD | Site metasploit.com

An unauthenticated Java object deserialization vulnerability exists in the CLI component for Jenkins versions 2.56 and below. The readFrom method within the Command class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data. Because of this, a malicious serialized object contained within a serialized SignedObject can be sent to the Jenkins endpoint to achieve code execution on the target.

tags | exploit, java, code execution
advisories | CVE-2017-1000353
SHA-256 | 3729c358cb302e4f78e19a3ad5a83bfe54ed6e185ea35041abb6038c065373da
WebLogic Server Deserialization Remote Code Execution
Posted Jun 4, 2020
Authored by Shelby Pace, Y4er, Quynh Le | Site metasploit.com

This Metasploit module exploits a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable versions of WebLogic. Leveraging an ExtractorComparator enables the ability to trigger method.invoke(), which will execute arbitrary code.

tags | exploit, java, remote, arbitrary, code execution, protocol
advisories | CVE-2020-2883
SHA-256 | d85d76c6388cafa88aef4ce4d17b77d3a4f2d6383ddcb075ea187fa645df106e
WebLogic Server Deserialization Remote Code Execution
Posted May 21, 2020
Authored by Shelby Pace, Y4er, Jang | Site metasploit.com

This Metasploit module exploits a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers.

tags | exploit, java, remote, code execution, protocol
advisories | CVE-2020-2555
SHA-256 | 520b0c827c8b01d8c2ca1ab697de7f2fc8a7e99f91c7209728f8431d3a566cea
Ricoh Driver Privilege Escalation
Posted Feb 7, 2020
Authored by Shelby Pace, Alexander Pudwill, Pentagrid AG | Site metasploit.com

This Metasploit module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.

tags | exploit
advisories | CVE-2019-19363
SHA-256 | 7c9e552f55f234acffef8a364bb1a7d1ff7a39989cb75b1ba2f3f44e92de5981
OpenMRS Java Deserialization Remote Code Execution
Posted Dec 17, 2019
Authored by Nicolas Serra, Shelby Pace, mpgn | Site metasploit.com

OpenMRS is an open-source platform that supplies users with a customizable medical record system. There exists an object deserialization vulnerability in the webservices.rest module used in OpenMRS Platform. Unauthenticated remote code execution can be achieved by sending a malicious XML payload to a Rest API endpoint such as /ws/rest/v1/concept. This Metasploit module uses an XML payload generated with Marshalsec that targets the ImageIO component of the XStream library. Tested on OpenMRS Platform v2.1.2 and v2.21 with Java 8 and Java 9.

tags | exploit, java, remote, code execution
advisories | CVE-2018-19276
SHA-256 | 6f1e855ade450fdc21c2afb884ec83e11fd67f1b304b45c6db40c7d5cf974dc7
LibreNMS Collectd Command Injection
Posted Sep 6, 2019
Authored by Eldar Marcussen, Shelby Pace | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the Collectd graphing functionality in LibreNMS. The to and from parameters used to define the range for a graph are sanitized using the mysqli_escape_real_string() function, which permits backticks. These parameters are used as part of a shell command that gets executed via the passthru() function, which can result in code execution.

tags | exploit, shell, code execution
advisories | CVE-2019-10669
SHA-256 | e40f291b536ddb530c9c679f17c98644fcd1bd9ef0a75a355c8b3a8fc1d135c0
LibreOffice Macro Python Code Execution
Posted Aug 20, 2019
Authored by Shelby Pace, LoadLow, Nils Emmerich, Gabriel Masei | Site metasploit.com

This Metasploit module generates an ODT file with a dom loaded event that, when triggered, will execute arbitrary python code and the metasploit payload.

tags | exploit, arbitrary, python
advisories | CVE-2019-9851
SHA-256 | a9df52f5e153cebc58d4e4198c48942a2f9379eaa47f6d7466b46a1643fd0618
WordPress Database Backup Remote Command Execution
Posted Jul 27, 2019
Authored by Shelby Pace, Mikey Veenstra | Site metasploit.com

There exists a command injection vulnerability in the Wordpress plugin wp-database-backup for versions less than 5.2. For the backup functionality, the plugin generates a mysqldump command to execute. The user can choose specific tables to exclude from the backup by setting the wp_db_exclude_table parameter in a POST request to the wp-database-backup page. The names of the excluded tables are included in the mysqldump command unsanitized. Arbitrary commands injected through the wp_db_exclude_table parameter are executed each time the functionality for creating a new database backup are run. Authentication is required to successfully exploit this vulnerability.

tags | exploit, arbitrary
SHA-256 | 401ad527c7daa315ba1bf0e69bfa9cc8df0e398c4a05459107a808ada7823a8d
AppXSvc Hard Link Privilege Escalation
Posted Jul 15, 2019
Authored by James Forshaw, Nabeel Ahmed, Shelby Pace | Site metasploit.com

There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This Metasploit module employs a technique using the Diagnostics Hub Standard Collector Service (DiagHub) which was discovered by James Forshaw to load and execute a DLL as SYSTEM.

tags | exploit
systems | windows
advisories | CVE-2019-0841
SHA-256 | 768fb56de1ec7de8dd28e560c3995953fbeca7925352b92e82d879e144ae0251
LibreNMS addhost Command Injection
Posted Jun 4, 2019
Authored by Shelby Pace, mhaskar | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the open source network management software known as LibreNMS. The community parameter used in a POST request to the addhost functionality is unsanitized. This parameter is later used as part of a shell command that gets passed to the popen function in capture.inc.php, which can result in execution of arbitrary code. This module requires authentication to LibreNMS first.

tags | exploit, arbitrary, shell, php
advisories | CVE-2018-20434
SHA-256 | 8fd9521e1c38f9ad21b8611a1a79a4fa7ccda2ca71da5acfd86ca9767c9411ae
LibreOffice Macro Code Execution
Posted Apr 17, 2019
Authored by Alex Infuhr, Shelby Pace | Site metasploit.com

This Metasploit module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code.

tags | exploit, arbitrary
advisories | CVE-2018-16858
SHA-256 | 1dbac9bc01a0968e5bd4defcfd3239c6f9cf90dfee38c29c3ff6560e99041d79
WordPress Responsive Thumbnail Slider Arbitrary File Upload
Posted Jul 27, 2018
Authored by Arash Khazaei, Shelby Pace | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication.

tags | exploit, arbitrary, file upload
SHA-256 | 8ee01269b9ed74a3a7ab070775e8793353cb3fbec90f61759ae14ae92e25bdfa
Axis Network Camera Remote Command Execution
Posted Jul 26, 2018
Authored by sinn3r, Chris Lee, wvu, Matthew Kienow, Or Peles, Jacob Robles, Shelby Pace, Cale Black, Brent Cook | Site metasploit.com

This Metasploit module exploits an authentication bypass in .srv functionality and a command injection in parhand to execute code as the root user.

tags | exploit, root
advisories | CVE-2018-10660, CVE-2018-10661, CVE-2018-10662
SHA-256 | c10f9b22f833b812b5b5320ea587dedf77fe8a60a4a58ddec5548a2ea5fb202d
GitList 0.6.0 Argument Injection
Posted Jul 7, 2018
Authored by Kacper Szurek, Shelby Pace | Site metasploit.com

This Metasploit module exploits an argument injection vulnerability in GitList version 0.6.0. The vulnerability arises from GitList improperly validating input using the php function 'escapeshellarg'.

tags | exploit, php
SHA-256 | 438a7961adff6a24e2b4c17fe41509049358ceda89125f0c70d6808fa38a4266
Boxoft WAV To MP3 Converter 1.1 Buffer Overflow
Posted Jul 2, 2018
Authored by Robbie Corley, Shelby Pace | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1. By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode.

tags | exploit, overflow, shellcode
advisories | CVE-2015-7243
SHA-256 | 7ce78a44af7a5f6b6d50bbd053541d443704b24c121b5a53d4540734c686a507
Page 1 of 1
Back1Next

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close