what you don't know can hurt you
Showing 1 - 21 of 21 RSS Feed

Files from egypt

First Active2009-11-26
Last Active2017-03-14
Apache Struts Jakarta Multipart Parser OGNL Injection
Posted Mar 14, 2017
Authored by egypt, Nixawk, Nike.Zheng, Jeffrey Martin, Chorder | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.

tags | exploit, remote, web, code execution
advisories | CVE-2017-5638
MD5 | 8637e8ffc6de9189c657a3e087a50331
ExaGrid Known SSH Key / Default Password
Posted Apr 9, 2016
Authored by egypt | Site metasploit.com

ExaGrid ships a public/private key pair on their backup appliances to allow passwordless authentication to other ExaGrid appliances. Since the private key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. Additionally, this module will attempt to use the default password for root, 'inflection'.

tags | exploit, remote, root
advisories | CVE-2016-1560, CVE-2016-1561
MD5 | 3fbd7e79c9e739bd3384bf1e8d1cadf6
Dhclient Bash Environment Variable Injection
Posted Sep 27, 2014
Authored by egypt, Stephane Chazelas | Site metasploit.com

When bash is started with an environment variable that begins with the string "() {", that variable is treated as a function definition and parsed as code. If extra commands are added after the function definition, they will be executed immediately. When dhclient receives an ACK that contains a domain name or hostname, they are passed to configuration scripts as environment variables, allowing us to trigger the bash bug. Because of the length restrictions and unusual networking scenario at time of exploitation, this Metasploit module achieves code execution by echoing our payload into /etc/crontab and cleans it up when we get a shell.

tags | exploit, shell, code execution, bash
advisories | CVE-2014-6271
MD5 | 3906040148097bfee9fc17f307249281
VMWare Setuid vmware-mount Unsafe popen(3)
Posted Aug 29, 2013
Authored by Tavis Ormandy, egypt | Site metasploit.com

VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us.

tags | exploit, arbitrary, shell, root
systems | linux, debian
advisories | CVE-2013-1662, OSVDB-96588
MD5 | f174ca6c5c6bd8439fdc4605e284321b
OpenX Backdoor PHP Code Execution
Posted Aug 9, 2013
Authored by egypt, temp66 | Site metasploit.com

OpenX Ad Server version 2.8.10 was shipped with an obfuscated backdoor since at least November 2012 through August 2013. Exploitation is simple, requiring only a single request with a rot13'd and reversed payload.

tags | exploit
advisories | CVE-2013-4211
MD5 | 07a2914e7ca11b4362efa9fc31da14e1
Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation
Posted Jul 1, 2013
Authored by Tavis Ormandy, egypt, sinn3r, juan vazquez, progmboy, Meatballs, Keebie4e | Site metasploit.com

This Metasploit module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.

tags | exploit
systems | windows, xp, 7
advisories | CVE-2013-3660, OSVDB-93539
MD5 | 4c66155f0bae4b1bbeab91b35499cc0d
Ruby on Rails JSON Processor YAML Deserialization Code Execution
Posted Jan 29, 2013
Authored by egypt, lian, jjarmoc | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This vulnerability is very similar to CVE-2013-0156. This Metasploit module has been tested successfully on RoR 3.0.9, 3.0.19, and 2.3.15. The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

tags | exploit, remote, code execution, ruby
advisories | CVE-2013-0333
MD5 | a94c8b488a79ce550781a982eed5d4a2
Java Applet JMX Remote Code Execution
Posted Jan 11, 2013
Authored by unknown, egypt, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.

tags | exploit, java, arbitrary
advisories | CVE-2013-0422
MD5 | 30886a5fe5a8c62f2f65b5d9af2cfd89
PostgreSQL for Linux Payload Execution
Posted Dec 15, 2012
Authored by egypt, todb, midnitesnake | Site metasploit.com

On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This Metasploit module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object's constructor, it does not need to conform to specific Postgres API versions.

tags | exploit, arbitrary
systems | linux
MD5 | 03d39ba3ca97edacf964b7dc85b57216
ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection
Posted Oct 28, 2012
Authored by egypt, sinn3r, xistence | Site metasploit.com

This Metasploit module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page, which results in remote code execution under the context of SYSTEM in Windows; or as the user in Linux. Authentication is not required in order to exploit this vulnerability.

tags | exploit, remote, code execution, sql injection
systems | linux, windows
MD5 | d3ae3405d31d907b6c62f95cb8355fee
Linux udev Netlink Local Privilege Escalation
Posted Sep 14, 2012
Authored by Kingcope, Jon Oberheide, egypt | Site metasploit.com

Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland.

tags | exploit, kernel, local
advisories | CVE-2009-1185
MD5 | f530c8916556636af4ff58b2ba7cb938
Psexec Via Current User Token
Posted Aug 3, 2012
Authored by Jabra, egypt | Site metasploit.com

This Metasploit module uploads an executable file to the victim system, creates a share containing that executable, creates a remote service on each target system using a UNC path to that file, and finally starts the service(s). The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash.

tags | exploit, remote
advisories | CVE-1999-0504, OSVDB-3106
MD5 | 0bbd2a9a13a6e081275470dda5d8d388
Linux Kernel Sendpage Local Privilege Escalation
Posted Jul 19, 2012
Authored by Brad Spengler, Ramon de C Valle, Tavis Ormandy, Julien Tinnes, egypt | Site metasploit.com

The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4

tags | exploit, arbitrary, kernel, protocol, ppc
systems | linux
advisories | CVE-2009-2692
MD5 | 2592f40037078ac9737526c10644b4e9
Setuid Nmap Exploit
Posted Jul 19, 2012
Authored by egypt | Site metasploit.com

Nmap's man page mentions that "Nmap should never be installed with special privileges (e.g. suid root) for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This Metasploit module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.

tags | exploit, root, perl, ruby
systems | unix
MD5 | 451cc1f390a0ee0ae43183a67ef08439
F5 BIG-IP SSH Private Key Exposure
Posted Jun 12, 2012
Authored by egypt | Site metasploit.com

F5 ships a public/private key pair on BIG-IP appliances that allows passwordless authentication to any other BIG-IP box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root.

tags | exploit, remote, root
advisories | CVE-2012-1493, OSVDB-82780
MD5 | af1646ec0e8678f829f5946ae8c5cabb
Java AtomicReferenceArray Type Violation
Posted Mar 30, 2012
Authored by egypt, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

tags | exploit
advisories | CVE-2012-0507, OSVDB-80724
MD5 | 231bc9024a8d1bdd347e7c1c06aeacf5
Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit
Posted Nov 23, 2010
Authored by egypt, Matthias Kaiser | Site metasploit.com

This Metasploit module exploits a vulnerability in Java Runtime Environment that allows an attacker to escape the Java Sandbox. By injecting a parameter into a javaws call within the BasicServiceImpl class the default java sandbox policy file can be therefore overwritten. The vulnerability affects version 6 prior to update 22. NOTE: Exploiting this vulnerability causes several sinister-looking popup windows saying that Java is "Downloading application."

tags | exploit, java
systems | windows
advisories | CVE-2010-3563, OSVDB-69043
MD5 | 9a21a47d9c36f5a1bda2c5036310f6c0
Java RMIConnectionImpl Deserialization Privilege Escalation Exploit
Posted Sep 9, 2010
Authored by egypt, Matthias Kaiser, Sami Koivu | Site metasploit.com

This Metasploit module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

tags | exploit, java
advisories | CVE-2010-0094
MD5 | 0d92c0d644f75f48c339916b902897e1
Java Statement.invoke() Trusted Method Chain Exploit
Posted Aug 24, 2010
Authored by egypt, Matthias Kaiser, Sami Koivu | Site metasploit.com

This Metasploit module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

tags | exploit, java
advisories | CVE-2010-0840
MD5 | 4e689cf5083f3182b1988ba27606166b
osCommerce 2.2 Arbitrary PHP Code Execution
Posted Dec 31, 2009
Authored by egypt | Site metasploit.com

osCommerce is a popular open source E-Commerce application. The admin console contains a file management utility that allows administrators to upload, download, and edit files. This could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.

tags | exploit, arbitrary
MD5 | 3182e31e7b732ee6b1a9fd7995c97684
Apple QuickTime 7.1.3 RTSP URI Buffer Overflow
Posted Nov 26, 2009
Authored by MC, egypt | Site metasploit.com

This Metasploit module exploits a buffer overflow in Apple QuickTime 7.1.3. This Metasploit module was inspired by MOAB-01-01-2007. The Browser target for this module was tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the QuickTime plugin.

tags | exploit, overflow
systems | windows, apple, xp
advisories | CVE-2007-0015
MD5 | d2ab9eb9d899356379e076fe8e98c51f
Page 1 of 1
Back1Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close