Exploit the possiblities
Showing 1 - 25 of 221 RSS Feed

Files from H D Moore

Email addresshdm at metasploit.com
First Active1999-08-17
Last Active2017-05-27
Samba is_known_pipename() Arbitrary Module Load
Posted May 27, 2017
Authored by H D Moore, Tavis Ormandy, Brendan Coles, steelo | Site metasploit.com

This Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.

tags | exploit, arbitrary
advisories | CVE-2017-7494
MD5 | 540c24e5e6cfcfa8e2adea53b8b83491
Ghostscript 9.21 Type Confusion Arbitrary Command Execution
Posted May 1, 2017
Authored by H D Moore, Atlassian Security Team | Site metasploit.com

This Metasploit module exploits a type confusion vulnerability in Ghostscript that can be exploited to obtain arbitrary command execution. This vulnerability affects Ghostscript versions 9.21 and earlier and can be exploited through libraries such as ImageMagick and Pillow.

tags | exploit, arbitrary
MD5 | 6942d6efceefaf1137c13d39ad78ac35
Advantech Switch Bash Environment Variable Code Injection
Posted Dec 2, 2015
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This Metasploit module targets the 'ping.sh' CGI script, accessible through the Boa web server on Advantech switches. This Metasploit module was tested against firmware version 1322_D1.98.

tags | exploit, web, shell, cgi, bash
advisories | CVE-2014-6271
MD5 | 3f75e0684f5d9400f0db116618cf437e
Accellion FTA getStatus verify_oauth_token Command Execution
Posted Jul 13, 2015
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a metacharacter shell injection vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'oauth_token' is passed into a system() call within a mod_perl handler. This Metasploit module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on version FTA_9_11_200, but may apply to previous versions as well. This issue was fixed in software update FTA_9_11_210.

tags | exploit, shell
advisories | CVE-2015-2857
MD5 | 574eb637708ed40c94b419650c536f7d
Ceragon FibeAir IP-10 SSH Private Key Exposure
Posted Apr 2, 2015
Authored by H D Moore, Tod Beardsley | Site metasploit.com

This Metasploit module exploits the fact that Ceragon ships a public/private key pair on FibeAir IP-10 devices that allows passwordless authentication to any other IP-10 device. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as the "mateidu" user.

tags | exploit, remote
advisories | CVE-2015-0936
MD5 | dbb01da873f25f0307a2f3e8830b4bef
WordPress cache_lastpostdate Arbitrary Code Execution
Posted Mar 24, 2015
Authored by H D Moore, str0ke | Site metasploit.com

This Metasploit module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected.

tags | exploit, arbitrary, php, code execution
advisories | CVE-2005-2612, OSVDB-18672
MD5 | 6587a07ae6fb8103545737bc7a447633
WordPress W3 Total Cache PHP Code Execution
Posted Mar 24, 2015
Authored by H D Moore, juan vazquez, temp66, Christian Mehlmauer | Site metasploit.com

This Metasploit module exploits a PHP Code Injection vulnerability against WordPress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically find or bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on WordPress must be unchecked for successful exploitation. This Metasploit module has been tested against WordPress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.

tags | exploit, arbitrary, php
systems | linux, ubuntu
advisories | CVE-2013-2010, OSVDB-92652
MD5 | be8ab3b5728c9890eeda2592ba90ef4e
NETGEAR ReadyNAS Perl Code Evaluation
Posted Nov 25, 2013
Authored by H D Moore, juan vazquez, Craig Young | Site metasploit.com

This Metasploit module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The vulnerability exists on the web fronted, specifically on the np_handler.pl component, due to the insecure usage of the eval() perl function. This Metasploit module has been tested successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment, not on real hardware.

tags | exploit, web, perl
advisories | CVE-2013-2751, OSVDB-98826
MD5 | d85b0453ec7ff515ff45ea5c314d7ddc
Supermicro Onboard IPMI close_window.cgi Buffer Overflow
Posted Nov 17, 2013
Authored by H D Moore, juan vazquez | Site metasploit.com

This Metasploit module exploits a buffer overflow on the Supermicro Onboard IPMI controller web interface. The vulnerability exists on the close_window.cgi CGI application, and is due to the insecure usage of strcpy. In order to get a session, the module will execute system() from libc with an arbitrary CMD payload sent on the User-Agent header. This Metasploit module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214.

tags | exploit, web, overflow, arbitrary, cgi
advisories | CVE-2013-3623
MD5 | 93402586b187bf6a3206c59f7317c96f
Windows SYSTEM Escalation Via KiTrap0D
Posted Nov 14, 2013
Authored by H D Moore, Pusscat, Tavis Ormandy, OJ Reeves | Site metasploit.com

This Metasploit module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll and is not supported on x64 editions of Windows.

tags | exploit, x86
systems | windows
advisories | CVE-2010-0232, OSVDB-61854
MD5 | 684211c5a525c2bc561700bd9d39783b
MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
Posted Jun 5, 2013
Authored by H D Moore, Dejan Lukan | Site metasploit.com

This Metasploit module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present in the SOAPAction HTTP header handling.

tags | exploit, web, overflow
advisories | CVE-2013-0230, OSVDB-89624
MD5 | 7162235aeeb395bcbb59aaebbd7f7c09
Wordpress W3 Total Cache PHP Code Execution
Posted Apr 29, 2013
Authored by H D Moore, juan vazquez, temp66, Christian Mehlmauer | Site metasploit.com

This Metasploit module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on Wordpress must be unchecked for successful exploitation. This Metasploit module has been tested against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.

tags | exploit, arbitrary, php
systems | linux, ubuntu
advisories | OSVDB-92652
MD5 | 170014b6ed1d82d111127c7bec507a9d
UPnP Issue Affects Many Routers
Posted Feb 6, 2013
Authored by H D Moore, Leon Juranic, DefenseCode

A few weeks ago, DefenseCode announced the remote pre-auth root access exploit for Cisco Linksys. During further research, they have discovered that other router manufacturers are also vulnerable to the same vulnerability, since the vulnerable Broadcom UPnP stack is used across multiple router vendors. Rapid7 has produced some scary numbers surrounding how many routers are affected on the Internet.

tags | advisory, remote, root
systems | cisco
MD5 | 3b0a8f2514d231023a2e7212b1720304
Portable UPnP SDK unique_service_name() Remote Code Execution
Posted Feb 5, 2013
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a buffer overflow in the unique_service_name() function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this exploit uses a separate TCP listener to stage the real payload.

tags | exploit, overflow, tcp
advisories | CVE-2012-5858
MD5 | 8a2d4e5a5036082bd64360fbe4d78a67
Ruby On Rails XML Processor YAML Deserialization Code Execution
Posted Jan 11, 2013
Authored by H D Moore, lian, espes, charliesome | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This Metasploit module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

tags | exploit, remote, code execution, ruby
advisories | CVE-2013-0156
MD5 | 49cbb8a2818a2dd977c6e68b4115b578
Apple iOS Default SSH Password
Posted Oct 10, 2012
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits the default credentials of Apple iOS when it has been jailbroken and the passwords for the 'root' and 'mobile' users have not been changed.

tags | exploit, root
systems | apple
MD5 | 9731fff02e7eac8544c5477329354c92
phpMyAdmin 3.5.2.2 server_sync.php Backdoor
Posted Sep 26, 2012
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits an arbitrary code execution backdoor placed into phpMyAdmin version 3.5.2.2 through a compromised SourceForge mirror.

tags | exploit, arbitrary, code execution
MD5 | 3eb0ebaa1adb15ab2abbef001b5c428d
Metasploit Framework 4.4
Posted Jul 17, 2012
Authored by H D Moore | Site metasploit.com

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Changes: 101 modules have been added. Meterpreter has been modernized. Various other improvements.
tags | tool, ruby
systems | unix
MD5 | 674b6bf22606298c98e7735b994dec25
RealVNC Authentication Bypass
Posted Aug 26, 2011
Authored by H D Moore, The Light Cosine | Site metasploit.com

This Metasploit module exploits an Authentication Bypass Vulnerability in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy listener on LPORT and proxies to the target server The AUTOVNC option requires that vncviewer be installed on the attacking machine. This option should be disabled for Pro.

tags | exploit, bypass
advisories | CVE-2006-2369, OSVDB-25479
MD5 | 8e4490d03f022fde63ac0d43677b774d
Metasploit Framework 4.0.0
Posted Aug 2, 2011
Authored by H D Moore | Site metasploit.com

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Changes: Ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules. 20 new exploits, 3 new auxiliary modules, and 14 new post modules have been added since the last release.
tags | tool, ruby
systems | unix
MD5 | 9b4426a919491d897dc38bd96e6c5ef1
VSFTPD 2.3.4 Backdoor Command Execution
Posted Jul 4, 2011
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was present in the vsftpd-2.3.4.tar.gz archive sometime before July 3rd 2011.

tags | exploit
MD5 | 0ef4c02a9a5cf41d3a2cea609ce796e4
Accellion File Transfer Appliance MPIPE2 Command Execution
Posted Mar 14, 2011
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a chain of vulnerabilities in the Accellion File Transfer appliance. This appliance exposes a UDP service on port 8812 that acts as a gateway to the internal communication bus. This service uses Blowfish encryption for authentication, but the appliance ships with two easy to guess default authentication keys. This Metasploit module abuses the known default encryption keys to inject a message into the communication bus. In order to execute arbitrary commands on the remote appliance, a message is injected into the bus destined for the 'matchrep' service. This service exposes a function named 'insert_plugin_meta_info' which is vulnerable to an input validation flaw in a call to system(). This provides access to the 'soggycat' user account, which has sudo privileges to run the primary admin tool as root. These two flaws are fixed in update version FTA_8_0_562.

tags | exploit, remote, arbitrary, root, udp, vulnerability
MD5 | 68bf251bee705d5b41c489b1b7ae0520
Metasploit Framework 3.6.0
Posted Mar 7, 2011
Authored by H D Moore | Site metasploit.com

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Changes: This release adds 15 new exploits for a total of 64 new modules since version 3.5.1. Includes Post Exploitation modules that provide local exploits and additional data gathering capabilities.
tags | tool, ruby
systems | unix
MD5 | c40cd0b56a666316e91718d72ebec86c
Accellion File Transfer Appliance Multiple Vulnerabilities
Posted Feb 7, 2011
Authored by H D Moore, Rapid7 | Site rapid7.com

Rapid7 Security Advisory - The Accellion File Transfer Appliance, prior to version FTA_8_0_562, suffers from a number of security flaws that can lead to a remote root compromise. These include issues like command injection, administrative tty check bypass, static passwords for privileged accounts, and more.

tags | exploit, remote, root
MD5 | 43bf593dd53ad61063aac11dfc90d291
Check Point Endpoint Security Server Information Disclosure
Posted Feb 7, 2011
Authored by H D Moore, Rapid7 | Site rapid7.com

Rapid7 Security Advisory - The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface. These directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries.

tags | exploit, web
MD5 | 0b772e1bc4479481ccb7a1d8e24df0ae
Page 1 of 9
Back12345Next

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close