what you don't know can hurt you
Showing 1 - 25 of 57 RSS Feed

Files from h00die

Email addressmike at stcyrsecurity.com
First Active2009-03-09
Last Active2021-06-02
Cacti 1.2.12 SQL Injection / Remote Command Execution
Posted Jun 2, 2021
Authored by h00die, Leonardo Paiva, Mayfly277 | Site metasploit.com

This Metasploit module exploits a SQL injection vulnerability in Cacti versions 1.2.12 and below. An admin can exploit the filter variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload. After calling the payload, the value is reset.

tags | exploit, arbitrary, php, sql injection
advisories | CVE-2020-14295
MD5 | 96f2d2ce45330fd71491a45ad435fbe4
Cockpit CMS 0.11.1 NoSQL Injection / Remote Command Execution
Posted Apr 21, 2021
Authored by h00die, Nikita Petrov | Site metasploit.com

This Metasploit module exploits two NoSQL injection vulnerabilities to retrieve the user list and password reset tokens from the system. Next, the USER is targeted to reset their password. Then, a command injection vulnerability is used to execute the payload. While it is possible to upload a payload and execute it, the command injection provides a no disk write method which is more stealthy. Cockpit CMS versions 0.10.0 through 0.11.1, inclusive, contain all the necessary vulnerabilities for exploitation.

tags | exploit, vulnerability, sql injection
advisories | CVE-2020-35846, CVE-2020-35847
MD5 | 02bc0b645077ffa131dc1c08b1a388bf
WordPress AIT CSV Import/Export 3.0.3 Shell Upload
Posted Jan 12, 2021
Authored by h00die | Site metasploit.com

WordPress AIT CSV Import/Export plugin versions 3.0.3 and below allow unauthenticated remote attackers to upload and execute arbitrary PHP code. The upload-handler does not require authentication, nor validates the uploaded content. It may return an error when attempting to parse a CSV, however the uploaded shell is left. The shell is uploaded to wp-content/uploads/. The plugin is not required to be activated to be exploitable.

tags | exploit, remote, arbitrary, shell, php
MD5 | c39ac90e0b404ac71d25decc4f495aec
Pulse Secure VPN Remote Code Execution
Posted Dec 18, 2020
Authored by h00die, Spencer McIntyre, Richard Warren, David Cash | Site metasploit.com

The Pulse Connect Secure appliance versions prior to 9.1R9 suffer from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in remote code execution as root. Admin credentials are required for successful exploitation.

tags | exploit, remote, arbitrary, root, code execution
advisories | CVE-2020-8260
MD5 | 59e340f2d15da503b7cef81774ba584f
WordPress Simple File List Unauthenticated Remote Code Execution
Posted Nov 25, 2020
Authored by h00die, coiffeur | Site metasploit.com

This Metasploit module exploits WordPress Simple File List plugin versions prior to 4.2.3, which allows remote unauthenticated attackers to upload files within a controlled list of extensions. However, the rename function does not conform to the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed to php and executed.

tags | exploit, remote, arbitrary, php
MD5 | 53dc99d870452eb23bdf7882ccb0c3e3
Plex Unpickle Dict Windows Remote Code Execution
Posted Jul 17, 2020
Authored by h00die, Chris Lyne | Site metasploit.com

This Metasploit module exploits an authenticated Python unsafe pickle.load of a Dict file. An authenticated attacker can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled, which causes remote code execution as the user who started Plex. Plex_Token is required, to get it you need to log-in through a web browser, then check the requests to grab the X-Plex-Token header. See info -d for additional details. If an exploit fails, or is cancelled, Dict is left on disk, a new ALBUM_NAME will be required as subsequent writes will make Dict-1, and not execute.

tags | exploit, remote, web, arbitrary, code execution, python
systems | windows
advisories | CVE-2020-5741
MD5 | 41eb0c77f9b7de3ab74e8c47a61a86c3
Cayin xPost 2.5 SQL Injection / Remote Code Execution
Posted Jun 18, 2020
Authored by LiquidWorm, h00die | Site metasploit.com

This Metasploit module exploits an unauthenticated remote SQL injection vulnerability in Cayin xPost versions 2.5 and below. The wayfinder_meeting_input.jsp file's wayfinder_seqid parameter can be injected blindly. Since this app bundles MySQL and Apache Tomcat the environment is pretty static and therefore the default settings should work. Results in SYSTEM level access. Only the java/jsp_shell_reverse_tcp and java/jsp_shell_bind_tcp payloads seem to be valid.

tags | exploit, java, remote, sql injection
advisories | CVE-2020-7356
MD5 | 0bce693076ed6cfe035781e990db745d
Cayin CMS NTP Server 11.0 Remote Code Execution
Posted Jun 18, 2020
Authored by LiquidWorm, h00die | Site metasploit.com

This Metasploit module exploits an authenticated remote code execution vulnerability in Cayin CMS versions 11.0 and below. The code execution is executed in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so repeated requests are made to achieve a larger payload. Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the environment should be pretty set and not dynamic between targets. Results in root level access.

tags | exploit, remote, cgi, root, code execution
systems | linux, ubuntu
advisories | CVE-2020-7357
MD5 | 5b71abbf1e64c3cce0a48cc8d48f03b0
WordPress Drag And Drop Multi File Uploader Remote Code Execution
Posted Jun 4, 2020
Authored by h00die, Austin Martin | Site metasploit.com

This Metasploit module exploits a file upload feature of Drag and Drop Multi File Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file extension list can be bypassed by appending a %, allowing for php shells to be uploaded. No authentication is required for exploitation.

tags | exploit, shell, php, file upload
advisories | CVE-2020-12800
MD5 | 8741d1320b67d5240a0da5c63f0f5065
Pi-Hole 4.3.2 DHCP MAC OS Command Execution
Posted May 28, 2020
Authored by h00die, nateksec | Site metasploit.com

This Metasploit module exploits a command execution in Pi-Hole versions 4.3.2 and below. A new DHCP static lease is added with a MAC address which includes a remote code execution issue.

tags | exploit, remote, code execution
advisories | CVE-2020-8816
MD5 | e6986dcdd89a11102dc17483054ea333
Pi-Hole 3.3 Command Execution
Posted May 26, 2020
Authored by h00die, Denis Andzakovic | Site metasploit.com

This Metasploit module exploits a command execution vulnerability in Pi-Hole versions 3.3 and below. When adding a new domain to the whitelist, it is possible to chain a command to the domain that is run on the OS.

tags | exploit
MD5 | 066e37ec3d1f6c94c53a2a17bd4de5f8
Synology DiskStation Manager smart.cgi Remote Command Execution
Posted May 22, 2020
Authored by h00die, Nigusu Kassahu | Site metasploit.com

This Metasploit module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions prior to 5.2-5967-5, which allows the execution of arbitrary commands under root privileges after website authentication. The vulnerability is located in webman/modules/StorageManager/smart.cgi, which allows appending of a command to the device to be scanned. However, the command with drive is limited to 30 characters. A somewhat valid drive name is required, thus /dev/sd is used, even though it does not exist. To circumvent the character restriction, a wget input file is staged in /a, and executed to download our payload to /b. From there the payload is executed. A wfsdelay is required to give time for the payload to download, and the execution of it to run.

tags | exploit, arbitrary, cgi, root
advisories | CVE-2017-15889
MD5 | 7f25ddec9b67ccf5376f21659f58915a
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
Posted May 18, 2020
Authored by h00die, Nick Frichette | Site metasploit.com

This Metasploit module exploits a command execution in Pi-Hole versions 4.4 and below. A new blocklist is added, and then an update is forced (gravity) to pull in the blocklist content. PHP content is then written to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporter, effectively running a privilege escalation. Phase 2 writes our payload to teleporter.php, overwriting the content. Lastly, the phase 1 PHP file is called in the web root, which launches our payload in teleporter.php with root privileges.

tags | exploit, web, root, php
advisories | CVE-2020-11108
MD5 | 45a7854959d2d37b594d4f7a3b3c052e
HP Performance Monitoring xglance Privilege Escalation
Posted May 4, 2020
Authored by Tim Brown, h00die, Marco Ortisi, Robert Jaroszuk | Site metasploit.com

This Metasploit module is an exploit that takes advantage of xglance-bin, part of HP's Glance (or Performance Monitoring) version 11 and subsequent, which was compiled with an insecure RPATH option. The RPATH includes a relative path to -L/lib64/ which can be controlled by a user. Creating libraries in this location will result in an escalation of privileges to root.

tags | exploit, root
advisories | CVE-2014-2630
MD5 | 2d52c1f98bc8caf5ed131ceaf2d906c0
Microsoft Windows Unquoted Service Path Privilege Escalation
Posted Apr 16, 2020
Authored by h00die, sinn3r | Site metasploit.com

This Metasploit module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem.

tags | exploit
systems | windows
MD5 | 651248f88c9a58a75f48fa67abb2c31a
VMware Fusion USB Arbitrator Setuid Privilege Escalation
Posted Apr 3, 2020
Authored by h00die, Grimm, Rich Mirch, Dhanesh Kizhakkinan, jeffball | Site metasploit.com

This Metasploit module exploits an improper use of setuid binaries within VMware Fusion versions 10.1.3 through 11.5.3. The Open VMware USB Arbitrator Service can be launched outside of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home directory in a specific folder, and creating a hard link to the Open VMware USB Arbitrator Service binary, we are able to launch it temporarily to start our payload with an effective UID of 0.

tags | exploit
advisories | CVE-2020-3950
MD5 | d08444e1220f418c3e6c94a4bcbeee5b
Metasploit Sample Webapp Exploit
Posted Dec 16, 2019
Authored by h00die | Site metasploit.com

This Metasploit exploit module illustrates how a vulnerability could be exploited in a webapp.

tags | exploit
MD5 | 15880c1bae79cabfa0bc303baa8a9153
Metasploit Sample Linux Privilege Escalation Exploit
Posted Dec 16, 2019
Authored by h00die | Site metasploit.com

This Metasploit exploit module illustrates how a vulnerability could be exploited in a linux command for privilege escalation.

tags | exploit
systems | linux
MD5 | 484a242e6e523fab95eb0bf3936e9709
Android Janus APK Signature Bypass
Posted Nov 7, 2019
Authored by h00die, timwr, V-E-O, GuardSquare | Site metasploit.com

This Metasploit module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable. Payload handler is disabled, and a multi/handler must be started first.

tags | exploit
advisories | CVE-2017-13156
MD5 | 64f1c304613a13c0a1b0f19f8913efec
Apache Tika 1.17 Header Command Injection
Posted Aug 2, 2019
Authored by h00die, David Yesland, Tim Allison | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Apache Tika versions 1.15 through 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic byte checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for arbitrary JScript to execute. A JScript stub is passed to execute arbitrary code. This module was verified against version 1.15 through 1.17 on Windows 2012. While the CVE and finding show more versions vulnerable, during testing it was determined only versions greater than 1.14 were exploitable due to jp2 support being added.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-1335
MD5 | 584bcb5d7b920aac9e4eb93a9a341f01
Unitrends Enterprise Backup bpserverd Privilege Escalation
Posted Nov 28, 2018
Authored by h00die, Benny Husted, Cale Smith, Jared Arave | Site metasploit.com

It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the localhost by dropping a python script on the local file system. Unitrends stopped bpserverd from listening remotely on version 10.

tags | exploit, remote, arbitrary, local, root, protocol, python
systems | linux
advisories | CVE-2018-6329
MD5 | 169be3643a7a30d9a8e1cb203cbc2994
PHP imap_open Remote Code Execution
Posted Nov 28, 2018
Authored by h00die, Anton Lopanitsyn, Twoster | Site metasploit.com

The imap_open function within PHP, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.

tags | exploit, arbitrary, php, imap
systems | linux, debian, ubuntu
MD5 | d4da49f1f3382fe81325e51853a7fcc3
Unitrends UEB HTTP API Remote Code Execution
Posted Oct 5, 2018
Authored by h00die, Benny Husted, Cale Smith, Jared Arave | Site metasploit.com

It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system. UEB v9 runs the api under root privileges and api/storage is vulnerable. UEB v10 runs the api under limited privileges and api/hosts is vulnerable.

tags | exploit, remote, web, arbitrary, root
advisories | CVE-2017-12478, CVE-2018-6328
MD5 | a0e08b19c154dc12f718909d936f193c
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Posted Aug 3, 2018
Authored by h00die, Brendan Coles, Andrey Konovalov | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO). This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and SMAP disabled. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This Metasploit module has been tested successfully on various Ubuntu and Linux Mint systems, including: Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop; Ubuntu 16.04 4.8.0-53-generic; Linux Mint 17.3 4.4.0-89-generic; Linux Mint 18 4.8.0-58-generic

tags | exploit, kernel, root, udp
systems | linux, ubuntu
advisories | CVE-2017-1000112
MD5 | 365cc8e31e8378f416a359810066fcda
Linux BPF Sign Extension Local Privilege Escalation
Posted Jul 19, 2018
Authored by h00die, Jann Horn, vnik, rlarabee, bleidl, bcoles | Site metasploit.com

Linux kernel versions prior to 4.14.8 utilize the Berkeley Packet Filter (BPF) which contains a vulnerability where it may improperly perform signing for an extension. This can be utilized to escalate privileges. The target system must be compiled with BPF support and must not have kernel.unprivileged_bpf_disabled set to 1. This Metasploit module has been tested successfully on many different kernels.

tags | exploit, kernel
systems | linux
advisories | CVE-2017-16995
MD5 | 4596fc215a7899eb6de8fccca0e92708
Page 1 of 3

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By