what you don't know can hurt you
Showing 1 - 15 of 15 RSS Feed

Files from Shelby Pace

First Active2018-07-02
Last Active2020-09-22
Jenkins 2.56 CLI Deserialization / Code Execution
Posted Sep 22, 2020
Authored by Shelby Pace, SSD | Site metasploit.com

An unauthenticated Java object deserialization vulnerability exists in the CLI component for Jenkins versions 2.56 and below. The readFrom method within the Command class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data. Because of this, a malicious serialized object contained within a serialized SignedObject can be sent to the Jenkins endpoint to achieve code execution on the target.

tags | exploit, java, code execution
advisories | CVE-2017-1000353
MD5 | aa3a16d8907d8d916ffb35f7f9dc700d
WebLogic Server Deserialization Remote Code Execution
Posted Jun 4, 2020
Authored by Shelby Pace, Y4er, Quynh Le | Site metasploit.com

This Metasploit module exploits a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable versions of WebLogic. Leveraging an ExtractorComparator enables the ability to trigger method.invoke(), which will execute arbitrary code.

tags | exploit, java, remote, arbitrary, code execution, protocol
advisories | CVE-2020-2883
MD5 | 70d9c90a8b31214d86ae1cb6e37b7167
WebLogic Server Deserialization Remote Code Execution
Posted May 21, 2020
Authored by Shelby Pace, Y4er, Jang | Site metasploit.com

This Metasploit module exploits a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers.

tags | exploit, java, remote, code execution, protocol
advisories | CVE-2020-2555
MD5 | e3a30f51596b55d810e3f2ed09788c15
Ricoh Driver Privilege Escalation
Posted Feb 7, 2020
Authored by Shelby Pace, Alexander Pudwill, Pentagrid AG | Site metasploit.com

This Metasploit module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.

tags | exploit
advisories | CVE-2019-19363
MD5 | fe0a9a6351caebe61c5e0ce2e0b572ad
OpenMRS Java Deserialization Remote Code Execution
Posted Dec 17, 2019
Authored by Nicolas Serra, Shelby Pace, mpgn | Site metasploit.com

OpenMRS is an open-source platform that supplies users with a customizable medical record system. There exists an object deserialization vulnerability in the webservices.rest module used in OpenMRS Platform. Unauthenticated remote code execution can be achieved by sending a malicious XML payload to a Rest API endpoint such as /ws/rest/v1/concept. This Metasploit module uses an XML payload generated with Marshalsec that targets the ImageIO component of the XStream library. Tested on OpenMRS Platform v2.1.2 and v2.21 with Java 8 and Java 9.

tags | exploit, java, remote, code execution
advisories | CVE-2018-19276
MD5 | c97ba40f300b81ba6c0c682076d3217c
LibreNMS Collectd Command Injection
Posted Sep 6, 2019
Authored by Eldar Marcussen, Shelby Pace | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the Collectd graphing functionality in LibreNMS. The to and from parameters used to define the range for a graph are sanitized using the mysqli_escape_real_string() function, which permits backticks. These parameters are used as part of a shell command that gets executed via the passthru() function, which can result in code execution.

tags | exploit, shell, code execution
advisories | CVE-2019-10669
MD5 | 4480c86153083ea98f618156ca80c47b
LibreOffice Macro Python Code Execution
Posted Aug 20, 2019
Authored by Shelby Pace, LoadLow, Nils Emmerich, Gabriel Masei | Site metasploit.com

This Metasploit module generates an ODT file with a dom loaded event that, when triggered, will execute arbitrary python code and the metasploit payload.

tags | exploit, arbitrary, python
advisories | CVE-2019-9851
MD5 | 6370452257edd14ff2dd490637bb95b3
WordPress Database Backup Remote Command Execution
Posted Jul 27, 2019
Authored by Shelby Pace, Mikey Veenstra | Site metasploit.com

There exists a command injection vulnerability in the Wordpress plugin wp-database-backup for versions less than 5.2. For the backup functionality, the plugin generates a mysqldump command to execute. The user can choose specific tables to exclude from the backup by setting the wp_db_exclude_table parameter in a POST request to the wp-database-backup page. The names of the excluded tables are included in the mysqldump command unsanitized. Arbitrary commands injected through the wp_db_exclude_table parameter are executed each time the functionality for creating a new database backup are run. Authentication is required to successfully exploit this vulnerability.

tags | exploit, arbitrary
MD5 | bf1a4442e1bd9d405a790a2876259f54
AppXSvc Hard Link Privilege Escalation
Posted Jul 15, 2019
Authored by James Forshaw, Nabeel Ahmed, Shelby Pace | Site metasploit.com

There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This Metasploit module employs a technique using the Diagnostics Hub Standard Collector Service (DiagHub) which was discovered by James Forshaw to load and execute a DLL as SYSTEM.

tags | exploit
systems | windows
advisories | CVE-2019-0841
MD5 | c94395650cca2e92c0d550946f0e7a22
LibreNMS addhost Command Injection
Posted Jun 4, 2019
Authored by Shelby Pace, mhaskar | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the open source network management software known as LibreNMS. The community parameter used in a POST request to the addhost functionality is unsanitized. This parameter is later used as part of a shell command that gets passed to the popen function in capture.inc.php, which can result in execution of arbitrary code. This module requires authentication to LibreNMS first.

tags | exploit, arbitrary, shell, php
advisories | CVE-2018-20434
MD5 | 1e5777dda1da78cd1019c88880b3908d
LibreOffice Macro Code Execution
Posted Apr 17, 2019
Authored by Alex Infuhr, Shelby Pace | Site metasploit.com

This Metasploit module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code.

tags | exploit, arbitrary
advisories | CVE-2018-16858
MD5 | 931f1709eb9d70968931648408852ccd
WordPress Responsive Thumbnail Slider Arbitrary File Upload
Posted Jul 27, 2018
Authored by Arash Khazaei, Shelby Pace | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication.

tags | exploit, arbitrary, file upload
MD5 | be85945c5f032d73aa3ce61a1cd67566
Axis Network Camera Remote Command Execution
Posted Jul 26, 2018
Authored by sinn3r, Chris Lee, wvu, Matthew Kienow, Or Peles, Jacob Robles, Shelby Pace, Cale Black, Brent Cook | Site metasploit.com

This Metasploit module exploits an authentication bypass in .srv functionality and a command injection in parhand to execute code as the root user.

tags | exploit, root
advisories | CVE-2018-10660, CVE-2018-10661, CVE-2018-10662
MD5 | 66359d0727b130b0477a2848942c2518
GitList 0.6.0 Argument Injection
Posted Jul 7, 2018
Authored by Kacper Szurek, Shelby Pace | Site metasploit.com

This Metasploit module exploits an argument injection vulnerability in GitList version 0.6.0. The vulnerability arises from GitList improperly validating input using the php function 'escapeshellarg'.

tags | exploit, php
MD5 | a1733d5d120783b5373e9c89db24e4a6
Boxoft WAV To MP3 Converter 1.1 Buffer Overflow
Posted Jul 2, 2018
Authored by Robbie Corley, Shelby Pace | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1. By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode.

tags | exploit, overflow, shellcode
advisories | CVE-2015-7243
MD5 | 0bc942aad9f54095c3d8e7923d60677c
Page 1 of 1
Back1Next

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    19 Files
  • 28
    Oct 28th
    29 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close