exploit the possibilities
Showing 1 - 25 of 30 RSS Feed

Files from Spencer McIntyre

Email addresssmcintyre at securestate.com
First Active2011-01-12
Last Active2020-07-31
SharePoint DataSet / DataTable Deserialization
Posted Jul 31, 2020
Authored by Soroush Dalili, mr_me, Spencer McIntyre | Site metasploit.com

A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker to execute code within the context of the SharePoint application service. The privileges in this execution context are determined by the account that is specified when SharePoint is installed and configured. The vulnerability is related to a failure to validate the source of XML input data, leading to an unsafe deserialization operation that can be triggered from a page that initializes either the ContactLinksSuggestionsMicroView type or a derivative of it. In a default configuration, a Domain User account is sufficient to access SharePoint and exploit this vulnerability.

tags | exploit, remote
advisories | CVE-2020-1147
MD5 | 1951b8a6649841f289b9e4feb3f9e3b0
AnyDesk GUI Format String Write
Posted Jul 2, 2020
Authored by Spencer McIntyre, scryh | Site metasploit.com

The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.

tags | exploit
advisories | CVE-2020-13160
MD5 | e9ef3a85832f0886a5ba8ac4e7bad664
Plesk / myLittleAdmin ViewState .NET Deserialization
Posted May 22, 2020
Authored by Spencer McIntyre, wvu | Site metasploit.com

This Metasploit module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded machineKey parameters in the web.config file for ASP.NET. Popular web hosting control panel Plesk offers myLittleAdmin as an optional component that is selected automatically during "full" installation. This exploit caters to the Plesk target, though it should work fine against a standalone myLittleAdmin setup. Successful exploitation results in code execution as the user running myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as the "SQL Admin MSSQL anonymous account". Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.

tags | exploit, web, code execution, asp
advisories | CVE-2020-13166
MD5 | 863f2f71f0ddb8aeb000570885bf0d3f
SMBv3 Compression Buffer Overflow
Posted Apr 6, 2020
Authored by Spencer McIntyre, Daniel Garcia Gutierrez, Manuel Blanco Parajon | Site metasploit.com

A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.

tags | exploit, local, protocol
advisories | CVE-2020-0796
MD5 | e501e1f41664d21dafdcafb9634371c8
SharePoint Workflows XOML Injection
Posted Mar 26, 2020
Authored by Soroush Dalili, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability within SharePoint and its .NET backend that allows an attacker to execute commands using specially crafted XOML data sent to SharePoint via the Workflows functionality.

tags | exploit
advisories | CVE-2020-0646
MD5 | 5b6ade0c1b4442dfc1e0314f571595ad
SQL Server Reporting Services (SSRS) ViewState Deserialization
Posted Mar 12, 2020
Authored by Soroush Dalili, Spencer McIntyre | Site metasploit.com

A vulnerability exists within Microsoft's SQL Server Reporting Services which can allow an attacker to craft an HTTP POST request with a serialized object to achieve remote code execution. The vulnerability is due to the fact that the serialized blob is not signed by the server.

tags | exploit, remote, web, code execution
advisories | CVE-2020-0618
MD5 | 0c8baebbb6c756de8b19d1b75adb66b5
Exchange Control Panel Viewstate Deserialization
Posted Mar 4, 2020
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to cause an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization.

tags | exploit, web
advisories | CVE-2020-0688
MD5 | ed889ec6ff5a153c3263e25acbc08820
RDP DOUBLEPULSAR Remote Code Execution
Posted Feb 4, 2020
Authored by Luke Jennings, Spencer McIntyre, wvu, Tom Sellers, Shadow Brokers, Equation Group | Site metasploit.com

This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for RDP. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant.

tags | exploit, code execution
MD5 | 17347c2786d7d69040d62415c11b7c42
Microsoft Windows LNK File Code Execution
Posted Nov 8, 2017
Authored by Yorick Koster, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2015-0095, CVE-2017-8464
MD5 | e8d2e4d615be10d88bf8b20b6b549143
Razer Synapse rzpnk.sys ZwOpenProcess
Posted Jul 22, 2017
Authored by Spencer McIntyre | Site metasploit.com

A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\SYSTEM.

tags | exploit, web, arbitrary, shellcode
advisories | CVE-2017-9769
MD5 | 05dbcbf512b9be0da1b9ceddb93d860c
PHPMailer Sendmail Argument Injection
Posted Jan 4, 2017
Authored by Dawid Golunski, Spencer McIntyre | Site metasploit.com

PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This Metasploit module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.

tags | exploit, web, arbitrary, root
advisories | CVE-2016-10033, CVE-2016-10045
MD5 | a8dc72e0680b992ed76e35257184f274
PowerShellEmpire Arbitrary File Upload (Skywalker)
Posted Nov 18, 2016
Authored by Spencer McIntyre, Erik Daguerre | Site metasploit.com

A vulnerability existed in the PowerShellEmpire server prior to commit f030cf62 which would allow an arbitrary file to be written to an attacker controlled location with the permissions of the Empire server. This exploit will write the payload to /tmp/ directory followed by a cron.d file to execute the payload.

tags | exploit, arbitrary
MD5 | 6dd255ac3b4ace7f8e1264d54a7d922b
HTA Web Server
Posted Oct 12, 2016
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed.

tags | exploit
MD5 | 9e72e42af707da32ec75302dd82c4ae3
Windows TrackPopupMenu Win32k NULL Pointer Dereference
Posted Oct 28, 2014
Authored by Spencer McIntyre, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This Metasploit module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.

tags | exploit, arbitrary, code execution
systems | windows, xp, 7
advisories | CVE-2014-4113
MD5 | 52feb4363d45b4378ac8a66855db145f
Pure-FTPd External Authentication Bash Environment Variable Code Injection
Posted Oct 2, 2014
Authored by Frank Denis, Spencer McIntyre, Stephane Chazelas | Site metasploit.com

This Metasploit module exploits the code injection flaw known as shellshock which leverages specially crafted environment variables in Bash. This exploit specifically targets Pure-FTPd when configured to use an external program for authentication.

tags | exploit, bash
advisories | CVE-2014-6271
MD5 | 1509d16ef5a69d2e95b0b3996782eef8
MQAC.sys Arbitrary Write Privilege Escalation
Posted Jul 25, 2014
Authored by Spencer McIntyre, Matt Bergin | Site metasploit.com

A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process.

tags | exploit, arbitrary, kernel
advisories | CVE-2014-4971
MD5 | feb4824b786f7e7f8c1a0fb58ac6aae6
MS14-017 Microsoft Word RTF Object Confusion
Posted Apr 9, 2014
Authored by Haifei Li, Spencer McIntyre | Site metasploit.com

This Metasploit module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a listoverridecount field can be modified to treat one structure as another. This bug was originally seen being exploited in the wild starting in April 2014. This Metasploit module was created by reversing a public malware sample.

tags | exploit, code execution
advisories | CVE-2014-1761
MD5 | 0173b4b676a7c4cce5d3669d25e38c2e
Windows TrackPopupMenuEx Win32k NULL Page
Posted Feb 11, 2014
Authored by Spencer McIntyre, Dan Zentner, Seth Gibson, Matias Soler | Site metasploit.com

This Metasploit module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This Metasploit module has been tested successfully on Windows 7 SP0 and Windows 7 SP1.

tags | exploit
systems | windows, 7
advisories | CVE-2013-3881, OSVDB-98212
MD5 | 5e3007d6712572a8e4850e4c1207fdc1
Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow
Posted May 31, 2013
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in the db_netserver process which is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.

tags | exploit, overflow
advisories | CVE-2013-3563
MD5 | c879e1e5716cef4a74c310721de2df60
SSH User Code Execution
Posted May 15, 2013
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell.

tags | exploit, shell
advisories | CVE-1999-0502
MD5 | c51d5809d74feb050ba211d2afd1170e
Firebird Relational Database CNCT Group Number Buffer Overflow
Posted Mar 8, 2013
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This Metasploit module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases stackpivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP.

tags | exploit, code execution
advisories | CVE-2013-2492
MD5 | b878a92dd2801b8f41f16452649b8003
Jenkins Script-Console Java Execution
Posted Jan 19, 2013
Authored by Spencer McIntyre, jamcut | Site metasploit.com

This Metasploit module uses the Jenkins Groovy script console to execute OS commands using Java.

tags | exploit, java
MD5 | 22bf8e9fc1f1498f73af67178f1aac14
Netwin SurgeFTP Remote Command Execution
Posted Dec 24, 2012
Authored by sinn3r, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console.

tags | exploit, web
MD5 | f28d69c21e4ade38f76954d490bd4b09
SurgeFTP Remote Command Execution
Posted Dec 20, 2012
Authored by Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a flaw in the SurgeFTP server's web-based administrative console to execute arbitrary commands.

tags | exploit, web, arbitrary
MD5 | 27837668ae567b3ace02e8d21d13e7ae
MS11-080 AfdJoinLeaf Privilege Escalation
Posted Oct 3, 2012
Authored by Matteo Memelli, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability.

tags | exploit, kernel, shellcode
advisories | CVE-2011-2005
MD5 | 4bb673fc92283c6a680ddea5396dce74
Page 1 of 2
Back12Next

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close