This Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.
23552b23e1cc0e2022181944f8894c8f7203e6893e7d1127561c3ffd867b9517This Metasploit module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions 9.9.9320 and below.
90d7acef05664be1e0b28da7f711f5c30f094179ef8916c47f28a2418a07056eA vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.
94d1415f6fe455813346e8f6de25a1fa7b5b88484ea770a8bc9b669e25457a13This Metasploit module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server. This affects versions of UniData prior to 8.2.4 build 3003. This service typically runs as root. It accepts a username of ":local:" and a password in the form of "<username>:<uid>:<gid>", where username and uid must be a valid account, but gid can be anything except 0. This exploit takes advantage of this login account to authenticate as a chosen user and run an arbitrary command (using the built-in OsCommand message).
a072b9a39317b3843159b4f19550be453c524b06398e48145609bb5afa1a4475This Metasploit module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server, which runs as root. This vulnerability affects UniData versions 8.2.4 build 3003 and earlier (for Linux), but this module specifically targets UniData version 8.2.4 build 3001. Other versions will crash the forked process, but will not otherwise affect the RPC server. The username and password fields are copied to a stack-based buffer using a function that's equivalent to strcpy() (ie, has no bounds checking). Additionally, the password field is encoded in such a way that we can include NUL bytes.
573fc6e16c91d795c9424c33a9909a1277e50ad02e08eb5886ceb1a2e2610251This Metasploit module exploits an object deserialization vulnerability in Fortra GoAnywhere MFT.
051497e68329329350b8fed17a087b6d124609bf8c23ea52d28ac047e63c6038This Metasploit module creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways.
ec59a3d52e4d78cf9bacb372140fcd5f2f2c8928aed87fa348ad1aed6d0bcde0This Metasploit module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.
ab0811cdeca1e7b40855fbeb9922d915dac86f0ccb16efdb3855d5d39ebf43acThis Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.
0942abdee0725fc32a285ecb9a23fb1bfe3ecc058946e6d59dda0de6b91cbca4This Metasploit module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions Zimbra Collaboration Suite 9.0.0 Patch 26 and below and Zimbra Collaboration Suite 8.8.15 Patch 33 and below.
ce92bc8cd0b896bbf1bbebcee5677a9a8619813aaba32b6be0cfc98fba18d5b5This Metasploit module exploits a vulnerable sudo configuration that permits the Zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shellscripts, which means it can execute a root shell.
60ec0dcab5b58dbebac7ed6c99c5cf1fb52f76e5b1a5f3723089e823fc252948Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.
b243d8611790a90b192551fc326eb12be22c5ca700eb91be1d60e366f9f665cbThis Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.
d58f4c7d7dbb0ee3b34e5a5a98ecaa59aa1118d324973a875b3ee85a53d569d4This Metasploit module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.
1f2fa01d64e190544e661f442158ebf1f08cb719c08299334a3fc484cc386cd2This Metasploit module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060. They include a path traversal in the /cewolf endpoint along with a blind XML external entity injection vulnerability to upload and execute a file.
19ca84f8e53083cacedb632dc26e16f78047ee8e6573a717d22be7336e613cdbThis Metasploit module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on Zimbra Collaboration versions 9.0.0 Patch 24 and below and 8.8.15 Patch 31 and below provided that UnRAR versions 6.11 or below are installed.
ca0f5b8e2038241415fba603b901534752f2529d4c8d1c1134f97e76d1935fefThis Metasploit module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.
bb3a5bef34f53053f0da7eec9cad038bc4f47a0997b2e9cd601a17a1f034a0adRemote authentication bypass exploit for the WebDAV vulnerability in Microsoft IIS 6.0.
58794bad254c95a52a4aff02ec52eb753d9e24ebc75be5de3d39aa371b956db2
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed