exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 167 RSS Feed

Files from mr_me

Email addresssteventhomasseeley at gmail.com
First Active2009-08-18
Last Active2024-08-31
Cisco DCNM Auth Bypass
Posted Aug 31, 2024
Authored by mr_me, Yann Castel | Site metasploit.com

This exploit is able to add an admin account to a Cisco DCNM with credentials you can choose. After that, you can login to the web interface with those credentials. The only necessary condition is the more or less recent connection of an admin as this exploit uses a kind of session stealing.

tags | exploit, web
systems | cisco
advisories | CVE-2019-15975
SHA-256 | 2634bc8552f91defad40767e6232f25e635ec38b72d6329ce27f8e07acb81918
Softing Secure Integration Server 1.22 Remote Code Execution
Posted Jul 22, 2024
Authored by mr_me, Chris Anastasio, Imran E. Dawoodjee | Site metasploit.com

This Metasploit module chains two vulnerabilities to achieve authenticated remote code execution against Softing Secure Integration Server version 1.22. In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerability when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk. In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system. The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication. A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one.

tags | exploit, remote, arbitrary, local, spoof, vulnerability, code execution
systems | windows
advisories | CVE-2022-1373, CVE-2022-2334
SHA-256 | 138c45447c1d3fa090b4666327e202412f377f34d7873c3c578299783f2b2a43
VMware Workspace ONE Access Privilege Escalation
Posted Apr 19, 2023
Authored by mr_me, jheysel-r7 | Site metasploit.com

This Metasploit module exploits CVE-2022-22960 which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.

tags | exploit, local, root
advisories | CVE-2022-22960
SHA-256 | c980fde4ce08516646fb2f75d7208c7f0bc88dcc1103403bca06bec378b78a76
VMware Workspace ONE Remote Code Execution
Posted Apr 18, 2023
Authored by mr_me, jheysel-r7 | Site metasploit.com

This Metasploit module combines two vulnerabilities in order achieve remote code execution in the context of the horizon user. The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection remote code execution vulnerability specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow for remote code execution.

tags | exploit, java, remote, arbitrary, vulnerability, code execution
advisories | CVE-2022-22956, CVE-2022-22957
SHA-256 | 7c29d90e3f3e9d482ff4bcd4e44dc3c7f3847da9e1f2f563dc1812dc6362bcd4
Cacti 1.2.22 Command Injection
Posted Jan 24, 2023
Authored by mr_me, Erik Wynter, Stefan Schiller, Owen Gong | Site metasploit.com

This Metasploit module exploits an unauthenticated command injection vulnerability in Cacti versions through 1.2.22 in order to achieve unauthenticated remote code execution as the www-data user.

tags | exploit, remote, code execution
advisories | CVE-2022-46169
SHA-256 | e63c1aedc4dd728df608137b19687c9e69ec0ae051a555280b58f4cc45f05eb6
VMware NSX Manager XStream Unauthenticated Remote Code Execution
Posted Nov 15, 2022
Authored by mr_me, Sina Kheirkhah, h00die-gr3y | Site metasploit.com

VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of root on the appliance. VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13 are vulnerable to remote command injection. This Metasploit module exploits the vulnerability to upload and execute payloads gaining root privileges.

tags | exploit, remote, root, code execution
advisories | CVE-2021-39144
SHA-256 | e1f5fa59aee9a79145c46b8829a1543dbca23d36d00d330dacc1326a5f871b45
VMware Workspace ONE Access Template Injection / Command Execution
Posted May 3, 2022
Authored by mr_me, wvu, Udhaya Prakash | Site metasploit.com

This Metasploit module exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) vulnerability in VMware Workspace ONE Access, to execute shell commands as the horizon user.

tags | exploit, shell
advisories | CVE-2022-22954
SHA-256 | bf4114fce190a8b9bc1f2bfc2013620b04b05e7030c7cc59f3d685b8db2038b1
ManageEngine ADSelfService Plus Authentication Bypass / Code Execution
Posted Nov 27, 2021
Authored by mr_me, wvu, Wilfried Becard, Antoine Cervoise | Site metasploit.com

This Metasploit module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.

tags | exploit, bypass
advisories | CVE-2021-40539
SHA-256 | 258a080b77eaface80577b4886f47493eafef016bf16d63a1567107d6f5b76cd
NetMotion Mobility Server MvcUtil Java Deserialization
Posted May 18, 2021
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits an unauthenticated Java deserialization in the NetMotion Mobility server's MvcUtil.valueStringToObject() method, as invoked through the /mobility/Menu/isLoggedOn endpoint, to execute code as the SYSTEM account. Mobility server versions 11.x before 11.73 and 12.x before 12.02 are vulnerable. Tested against 12.01.09045 on Windows Server 2016.

tags | exploit, java
systems | windows
advisories | CVE-2021-26914
SHA-256 | 98d5e63a61fd5e20065bed1c5d49729a43d215ca4759d51680b7ba3f830ad751
VMware vCenter Server File Upload / Remote Code Execution
Posted Mar 8, 2021
Authored by mr_me, wvu, Mikhail Klyuchnikov, Viss | Site metasploit.com

This Metasploit module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitable via the webshell technique. Furthermore, writing an SSH public key to /home/vsphere-ui/.ssh/authorized_keys works, but the user's non-existent password expires 90 days after install, rendering the technique nearly useless against production environments. You'll have the best luck targeting older versions of the Linux appliance. The Windows target should work ubiquitously.

tags | exploit, web, file upload
systems | linux, windows
advisories | CVE-2021-21972
SHA-256 | ee1f708da8c9cdb296637b11bf11d0e1c52209633c21780eca035b11e77bfd1d
Microsoft SharePoint SSI / ViewState Remote Code Execution
Posted Oct 19, 2020
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits a server-side include (SSI) in SharePoint to leak the web.config file and forge a malicious ViewState with the extracted validation key. This exploit is authenticated and requires a user with page creation privileges, which is a standard permission in SharePoint. The web.config file will be stored in loot once retrieved, and the VALIDATION_KEY option can be set to short-circuit the SSI and trigger the ViewState deserialization.

tags | exploit, web
advisories | CVE-2020-16952
SHA-256 | 8a772bb328a333818435b0fb7d18aa9de7efe3438db2021c6e23eafb2146379d
Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution
Posted Sep 17, 2020
Authored by mr_me, wvu | Site metasploit.com

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exchange Server. Authentication is required to exploit this vulnerability. Additionally, the target user must have the "Data Loss Prevention" role assigned and an active mailbox. If the user is in the "Compliance Management" or greater "Organization Management" role groups, then they have the "Data Loss Prevention" role. Since the user who installed Exchange is in the "Organization Management" role group, they transitively have the "Data Loss Prevention" role. The specific flaw exists within the processing of the New-DlpPolicy cmdlet. The issue results from the lack of proper validation of user-supplied template data when creating a DLP policy. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Tested against Exchange Server 2016 CU14 on Windows Server 2016.

tags | exploit, remote, arbitrary
systems | windows
advisories | CVE-2020-16875
SHA-256 | 9c64ade1b9672eb090b36bc174f9f1a9a315ff2f06c304a01bbbea3b70e0d409
SharePoint DataSet / DataTable Deserialization
Posted Jul 31, 2020
Authored by Soroush Dalili, mr_me, Spencer McIntyre | Site metasploit.com

A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker to execute code within the context of the SharePoint application service. The privileges in this execution context are determined by the account that is specified when SharePoint is installed and configured. The vulnerability is related to a failure to validate the source of XML input data, leading to an unsafe deserialization operation that can be triggered from a page that initializes either the ContactLinksSuggestionsMicroView type or a derivative of it. In a default configuration, a Domain User account is sufficient to access SharePoint and exploit this vulnerability.

tags | exploit, remote
advisories | CVE-2020-1147
SHA-256 | 34f2633fdb04b0ab14dd5a0aedaf3e5d3b9e387d4d8619fbdd31dabb809602b6
Cisco UCS Director Cloupia Script Remote Code Execution
Posted Jun 5, 2020
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits an authentication bypass and directory traversals in Cisco UCS Director versions prior to 6.7.4.0 to leak the administrator's REST API key and execute a Cloupia script containing an arbitrary root command. Note that the primary functionality of this module is to leverage the Cloupia script interpreter to execute code. This functionality is part of the application's intended operation and considered a "foreverday." The authentication bypass and directory traversals only get us there. If you already have an API key, you may set it in the API_KEY option. The LEAK_FILE option may be set if you wish to leak the API key from a different absolute path, but normally this isn't advisable. Tested on Cisco's VMware distribution of 6.7.3.0.

tags | exploit, arbitrary, root
systems | cisco
advisories | CVE-2020-3243, CVE-2020-3250
SHA-256 | e1a3270999313093f5713647237e1d7494e0c1bc022d9a26053bf23d8ac80fe3
ManageEngine Desktop Central Java Deserialization
Posted Mar 14, 2020
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions below 10.0.474. Tested against 10.0.465 x64.

tags | exploit, java
advisories | CVE-2020-10189
SHA-256 | 1b4d937c85f3beaac187c7d1a0baa59b7627812c7cd91b156f52ad23a8958285
ManageEngine Desktop Central Deserialization / Remote Code Execution
Posted Mar 6, 2020
Authored by mr_me

ManageEngine Desktop Central FileStorage getChartImage deserialization and unauthenticated remote code execution exploit.

tags | exploit, remote, code execution
SHA-256 | e7a5004e898d963d29d2f2cf55c0a66b8e4e7660e4b227893c2270d7ebbe3fd3
Cisco Data Center Network Manager 11.2.1 Command Injection
Posted Feb 6, 2020
Authored by mr_me

Cisco Data Center Network Manager version 11.2.1 remote command injection exploit.

tags | exploit, remote
systems | cisco
advisories | CVE-2019-15977, CVE-2019-15978
SHA-256 | 1dc9300d9c7a69f0cd8ed3652186c6007a1037f37260630af559930e809062ce
Cisco Data Center Network Manager 11.2.1 SQL Injection
Posted Feb 6, 2020
Authored by mr_me

Cisco Data Center Network Manager version 11.2.1 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
systems | cisco
advisories | CVE-2019-15976, CVE-2019-15984
SHA-256 | 437d8b420db1eec19289d0c053fae436486c42eacf69e291ee0cf8ca705ad269
Cisco Data Center Network Manager 11.2 Remote Code Execution
Posted Feb 6, 2020
Authored by mr_me

Cisco Data Center Network Manager version 11.2 remote code execution exploit.

tags | exploit, remote, code execution
systems | cisco
advisories | CVE-2019-15975
SHA-256 | 74fa98093de0741d04ea7ad307c9b37d10281f82652869e8958f8e6740e6396c
Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal
Posted Jun 19, 2019
Authored by mr_me, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user to leverage the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory, and gain arbitrary remote code execution. Note that authentication is not required to exploit this vulnerability.

tags | exploit, java, remote, web, arbitrary, code execution
systems | cisco
advisories | CVE-2019-1821
SHA-256 | a4ea9f1287ac1dba88becbc65cca9516c214cbb28ac296ea4aab456d25255b07
Oracle Application Testing Suite WebLogic Server Administration Console War Deployment
Posted May 24, 2019
Authored by mr_me, sinn3r | Site metasploit.com

This Metasploit module abuses a feature in WebLogic Server's Administration Console to install a malicious Java application in order to gain remote code execution. Authentication is required, however by default, Oracle ships with a "oats" account that you could log in with, which grants you administrator access.

tags | exploit, java, remote, code execution
advisories | CVE-2007-2699
SHA-256 | d2ce49b369029d9ba6fa03bf3c938f41ab106d33a06609e2f00de1eb12b975c8
Shopware createInstanceFromNamedArguments PHP Object Instantiation
Posted May 22, 2019
Authored by mr_me, Karim Ouerghemmi | Site metasploit.com

This Metasploit module exploits a php object instantiation vulnerability that can lead to remote code execution in Shopware. An authenticated backend user could exploit the vulnerability. The vulnerability exists in the createInstanceFromNamedArguments function, where the code insufficiently performs whitelist check which can be bypassed to trigger an object injection. An attacker can leverage this to deserialize an arbitrary payload and write a webshell to the target system, resulting in remote code execution. Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.

tags | exploit, remote, arbitrary, php, code execution
advisories | CVE-2017-18357
SHA-256 | 663b17e7e771b4cd3b76f4e9be53f77eb788f99d74c6047ec270aeb991f94fd8
HP Intelligent Management Java Deserialization Remote Code Execution
Posted Dec 4, 2018
Authored by mr_me, Carsten MaartmannMoe | Site metasploit.com

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebDMDebugServlet, which listens on TCP ports 8080 and 8443 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.

tags | exploit, remote, arbitrary, tcp
advisories | CVE-2017-12557
SHA-256 | d80500f62044dc3f7dc37c282b30194790326326fe1303d664ec78ee54518ad4
Foxit PDF Reader 9.0.1.1049 Pointer Overwrite Use-After-Free
Posted Aug 24, 2018
Authored by mr_me, saelo, Jacob Robles, bit from meepwnn | Site metasploit.com

Foxit PDF Reader version 9.0.1.1049 has a use-after-free vulnerability in the Text Annotations component and the TypedArray's use uninitialized pointers. The vulnerabilities can be combined to leak a vtable memory address, which can be adjusted to point to the base address of the executable. A ROP chain can be constructed that will execute when Foxit Reader performs the UAF.

tags | exploit, vulnerability
advisories | CVE-2018-9948, CVE-2018-9958
SHA-256 | 328a4999829d5eb3b12ffaeb666a27977fb72410e1a96f44c840761020615f82
Easylogin Pro 1.3.0 Remote Code Execution
Posted Aug 21, 2018
Authored by mr_me

Easylogin Pro version 1.3.0 suffers from an a deserialization issue in Encryptor.php that permits a code execution vulnerability.

tags | exploit, php, code execution
advisories | CVE-2018-15576
SHA-256 | 828314cfcecb74b2a92f103a5383aef52ae65421c914e8e9cd0f78fc25190c8a
Page 1 of 7
Back12345Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close