what you don't know can hurt you
Showing 1 - 25 of 62 RSS Feed

Files from h00die

Email addressmike at stcyrsecurity.com
First Active2009-03-09
Last Active2021-11-02
WordPress Pie Register 3.7.1.4 Authentication Bypass / Remote Code Execution
Posted Nov 2, 2021
Authored by h00die, Lotfi13-DZ | Site metasploit.com

This Metasploit module uses an authentication bypass vulnerability in Wordpress Pie Register plugin versions 3.7.1.4 and below to generate a valid cookie. With this cookie, hopefully of the admin, it will generate a plugin, pack the payload into it and upload it to a server running WordPress.

tags | exploit, bypass
MD5 | 46210089a3df2c00df7886dadf56127c
Moodle Admin Shell Upload
Posted Oct 12, 2021
Authored by h00die, Ozkan Mustafa Akkus | Site metasploit.com

This Metasploit module will generate a plugin which can receive a malicious payload request and upload it to a server running Moodle provided valid admin credentials are used. Then the payload is sent for execution, and the plugin uninstalled. You must have an admin account to exploit this vulnerability. Successfully tested against versions 3.6.3, 3.8.0, 3.9.0, 3.10.0, and 3.11.2.

tags | exploit
advisories | CVE-2019-11631
MD5 | de7ddb72e0bed90237de3829ad7cb9ed
Moodle SpellChecker Path Authenticated Remote Command Execution
Posted Oct 12, 2021
Authored by h00die, Adam Reiser | Site metasploit.com

Moodle allows an authenticated administrator to define spellcheck settings via the web interface. An administrator can update the aspell path to include a command injection. This is extremely similar to CVE-2013-3630, just using a different variable. This Metasploit module was tested against Moodle versions 3.11.2, 3.10.0, and 3.8.0.

tags | exploit, web
advisories | CVE-2021-21809
MD5 | a7e5d57a6bbc39e072f95b582e1a9b48
Moodle Teacher Enrollment Privilege Escalation / Remote Code Execution
Posted Oct 12, 2021
Authored by h00die, lanz, HoangKien1020 | Site metasploit.com

Moodle versions 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12, and earlier unsupported versions allow for a teacher to exploit chain to remote code execution. A bug in the privileges system allows a teacher to add themselves as a manager to their own class. They can then add any other users, and thus look to add someone with manager privileges on the system (not just the class). After adding a system manager, a loginas feature is used to access their account. Next the system is reconfigured to allow for all users to install an addon/plugin. Then a malicious theme is uploaded and creates an RCE. If all of that is a success, we revert permissions for managers to system default and remove our malicious theme. Manual cleanup to remove students from the class is required. This Metasploit module was tested against Moodle version 3.9.

tags | exploit, remote, code execution
advisories | CVE-2020-14321
MD5 | ebc3a909ac2dea6048c783034195cd70
Pi-Hole Remove Commands Linux Privilege Escalation
Posted Jul 30, 2021
Authored by h00die, Emanuele Barbeno | Site metasploit.com

Pi-Hole versions 3.0 through 5.3 allows for command line input to the removecustomcname, removecustomdns, and removestaticdhcp functions without properly validating the parameters before passing to sed. When executed as the www-data user, this allows for a privilege escalation to root since www-data is in the sudoers.d/pihole file with no password.

tags | exploit, root
advisories | CVE-2021-29449
MD5 | dac4dfce514725aab909b2548e85e3ee
Cacti 1.2.12 SQL Injection / Remote Command Execution
Posted Jun 2, 2021
Authored by h00die, Leonardo Paiva, Mayfly277 | Site metasploit.com

This Metasploit module exploits a SQL injection vulnerability in Cacti versions 1.2.12 and below. An admin can exploit the filter variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload. After calling the payload, the value is reset.

tags | exploit, arbitrary, php, sql injection
advisories | CVE-2020-14295
MD5 | 96f2d2ce45330fd71491a45ad435fbe4
Cockpit CMS 0.11.1 NoSQL Injection / Remote Command Execution
Posted Apr 21, 2021
Authored by h00die, Nikita Petrov | Site metasploit.com

This Metasploit module exploits two NoSQL injection vulnerabilities to retrieve the user list and password reset tokens from the system. Next, the USER is targeted to reset their password. Then, a command injection vulnerability is used to execute the payload. While it is possible to upload a payload and execute it, the command injection provides a no disk write method which is more stealthy. Cockpit CMS versions 0.10.0 through 0.11.1, inclusive, contain all the necessary vulnerabilities for exploitation.

tags | exploit, vulnerability, sql injection
advisories | CVE-2020-35846, CVE-2020-35847
MD5 | 02bc0b645077ffa131dc1c08b1a388bf
WordPress AIT CSV Import/Export 3.0.3 Shell Upload
Posted Jan 12, 2021
Authored by h00die | Site metasploit.com

WordPress AIT CSV Import/Export plugin versions 3.0.3 and below allow unauthenticated remote attackers to upload and execute arbitrary PHP code. The upload-handler does not require authentication, nor validates the uploaded content. It may return an error when attempting to parse a CSV, however the uploaded shell is left. The shell is uploaded to wp-content/uploads/. The plugin is not required to be activated to be exploitable.

tags | exploit, remote, arbitrary, shell, php
MD5 | c39ac90e0b404ac71d25decc4f495aec
Pulse Secure VPN Remote Code Execution
Posted Dec 18, 2020
Authored by h00die, Spencer McIntyre, Richard Warren, David Cash | Site metasploit.com

The Pulse Connect Secure appliance versions prior to 9.1R9 suffer from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in remote code execution as root. Admin credentials are required for successful exploitation.

tags | exploit, remote, arbitrary, root, code execution
advisories | CVE-2020-8260
MD5 | 59e340f2d15da503b7cef81774ba584f
WordPress Simple File List Unauthenticated Remote Code Execution
Posted Nov 25, 2020
Authored by h00die, coiffeur | Site metasploit.com

This Metasploit module exploits WordPress Simple File List plugin versions prior to 4.2.3, which allows remote unauthenticated attackers to upload files within a controlled list of extensions. However, the rename function does not conform to the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed to php and executed.

tags | exploit, remote, arbitrary, php
MD5 | 53dc99d870452eb23bdf7882ccb0c3e3
Plex Unpickle Dict Windows Remote Code Execution
Posted Jul 17, 2020
Authored by h00die, Chris Lyne | Site metasploit.com

This Metasploit module exploits an authenticated Python unsafe pickle.load of a Dict file. An authenticated attacker can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled, which causes remote code execution as the user who started Plex. Plex_Token is required, to get it you need to log-in through a web browser, then check the requests to grab the X-Plex-Token header. See info -d for additional details. If an exploit fails, or is cancelled, Dict is left on disk, a new ALBUM_NAME will be required as subsequent writes will make Dict-1, and not execute.

tags | exploit, remote, web, arbitrary, code execution, python
systems | windows
advisories | CVE-2020-5741
MD5 | 41eb0c77f9b7de3ab74e8c47a61a86c3
Cayin xPost 2.5 SQL Injection / Remote Code Execution
Posted Jun 18, 2020
Authored by LiquidWorm, h00die | Site metasploit.com

This Metasploit module exploits an unauthenticated remote SQL injection vulnerability in Cayin xPost versions 2.5 and below. The wayfinder_meeting_input.jsp file's wayfinder_seqid parameter can be injected blindly. Since this app bundles MySQL and Apache Tomcat the environment is pretty static and therefore the default settings should work. Results in SYSTEM level access. Only the java/jsp_shell_reverse_tcp and java/jsp_shell_bind_tcp payloads seem to be valid.

tags | exploit, java, remote, sql injection
advisories | CVE-2020-7356
MD5 | 0bce693076ed6cfe035781e990db745d
Cayin CMS NTP Server 11.0 Remote Code Execution
Posted Jun 18, 2020
Authored by LiquidWorm, h00die | Site metasploit.com

This Metasploit module exploits an authenticated remote code execution vulnerability in Cayin CMS versions 11.0 and below. The code execution is executed in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so repeated requests are made to achieve a larger payload. Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the environment should be pretty set and not dynamic between targets. Results in root level access.

tags | exploit, remote, cgi, root, code execution
systems | linux, ubuntu
advisories | CVE-2020-7357
MD5 | 5b71abbf1e64c3cce0a48cc8d48f03b0
WordPress Drag And Drop Multi File Uploader Remote Code Execution
Posted Jun 4, 2020
Authored by h00die, Austin Martin | Site metasploit.com

This Metasploit module exploits a file upload feature of Drag and Drop Multi File Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file extension list can be bypassed by appending a %, allowing for php shells to be uploaded. No authentication is required for exploitation.

tags | exploit, shell, php, file upload
advisories | CVE-2020-12800
MD5 | 8741d1320b67d5240a0da5c63f0f5065
Pi-Hole 4.3.2 DHCP MAC OS Command Execution
Posted May 28, 2020
Authored by h00die, nateksec | Site metasploit.com

This Metasploit module exploits a command execution in Pi-Hole versions 4.3.2 and below. A new DHCP static lease is added with a MAC address which includes a remote code execution issue.

tags | exploit, remote, code execution
advisories | CVE-2020-8816
MD5 | e6986dcdd89a11102dc17483054ea333
Pi-Hole 3.3 Command Execution
Posted May 26, 2020
Authored by h00die, Denis Andzakovic | Site metasploit.com

This Metasploit module exploits a command execution vulnerability in Pi-Hole versions 3.3 and below. When adding a new domain to the whitelist, it is possible to chain a command to the domain that is run on the OS.

tags | exploit
MD5 | 066e37ec3d1f6c94c53a2a17bd4de5f8
Synology DiskStation Manager smart.cgi Remote Command Execution
Posted May 22, 2020
Authored by h00die, Nigusu Kassahu | Site metasploit.com

This Metasploit module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions prior to 5.2-5967-5, which allows the execution of arbitrary commands under root privileges after website authentication. The vulnerability is located in webman/modules/StorageManager/smart.cgi, which allows appending of a command to the device to be scanned. However, the command with drive is limited to 30 characters. A somewhat valid drive name is required, thus /dev/sd is used, even though it does not exist. To circumvent the character restriction, a wget input file is staged in /a, and executed to download our payload to /b. From there the payload is executed. A wfsdelay is required to give time for the payload to download, and the execution of it to run.

tags | exploit, arbitrary, cgi, root
advisories | CVE-2017-15889
MD5 | 7f25ddec9b67ccf5376f21659f58915a
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
Posted May 18, 2020
Authored by h00die, Nick Frichette | Site metasploit.com

This Metasploit module exploits a command execution in Pi-Hole versions 4.4 and below. A new blocklist is added, and then an update is forced (gravity) to pull in the blocklist content. PHP content is then written to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporter, effectively running a privilege escalation. Phase 2 writes our payload to teleporter.php, overwriting the content. Lastly, the phase 1 PHP file is called in the web root, which launches our payload in teleporter.php with root privileges.

tags | exploit, web, root, php
advisories | CVE-2020-11108
MD5 | 45a7854959d2d37b594d4f7a3b3c052e
HP Performance Monitoring xglance Privilege Escalation
Posted May 4, 2020
Authored by Tim Brown, h00die, Marco Ortisi, Robert Jaroszuk | Site metasploit.com

This Metasploit module is an exploit that takes advantage of xglance-bin, part of HP's Glance (or Performance Monitoring) version 11 and subsequent, which was compiled with an insecure RPATH option. The RPATH includes a relative path to -L/lib64/ which can be controlled by a user. Creating libraries in this location will result in an escalation of privileges to root.

tags | exploit, root
advisories | CVE-2014-2630
MD5 | 2d52c1f98bc8caf5ed131ceaf2d906c0
Microsoft Windows Unquoted Service Path Privilege Escalation
Posted Apr 16, 2020
Authored by h00die, sinn3r | Site metasploit.com

This Metasploit module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem.

tags | exploit
systems | windows
MD5 | 651248f88c9a58a75f48fa67abb2c31a
VMware Fusion USB Arbitrator Setuid Privilege Escalation
Posted Apr 3, 2020
Authored by h00die, Grimm, Rich Mirch, Dhanesh Kizhakkinan, jeffball | Site metasploit.com

This Metasploit module exploits an improper use of setuid binaries within VMware Fusion versions 10.1.3 through 11.5.3. The Open VMware USB Arbitrator Service can be launched outside of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home directory in a specific folder, and creating a hard link to the Open VMware USB Arbitrator Service binary, we are able to launch it temporarily to start our payload with an effective UID of 0.

tags | exploit
advisories | CVE-2020-3950
MD5 | d08444e1220f418c3e6c94a4bcbeee5b
Metasploit Sample Webapp Exploit
Posted Dec 16, 2019
Authored by h00die | Site metasploit.com

This Metasploit exploit module illustrates how a vulnerability could be exploited in a webapp.

tags | exploit
MD5 | 15880c1bae79cabfa0bc303baa8a9153
Metasploit Sample Linux Privilege Escalation Exploit
Posted Dec 16, 2019
Authored by h00die | Site metasploit.com

This Metasploit exploit module illustrates how a vulnerability could be exploited in a linux command for privilege escalation.

tags | exploit
systems | linux
MD5 | 484a242e6e523fab95eb0bf3936e9709
Android Janus APK Signature Bypass
Posted Nov 7, 2019
Authored by h00die, timwr, V-E-O, GuardSquare | Site metasploit.com

This Metasploit module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable. Payload handler is disabled, and a multi/handler must be started first.

tags | exploit
advisories | CVE-2017-13156
MD5 | 64f1c304613a13c0a1b0f19f8913efec
Apache Tika 1.17 Header Command Injection
Posted Aug 2, 2019
Authored by h00die, David Yesland, Tim Allison | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Apache Tika versions 1.15 through 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic byte checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for arbitrary JScript to execute. A JScript stub is passed to execute arbitrary code. This module was verified against version 1.15 through 1.17 on Windows 2012. While the CVE and finding show more versions vulnerable, during testing it was determined only versions greater than 1.14 were exploitable due to jp2 support being added.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-1335
MD5 | 584bcb5d7b920aac9e4eb93a9a341f01
Page 1 of 3
Back123Next

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close