what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 103 RSS Feed

Files from Brendan Coles

Email addressbcoles at gmail.com
First Active2011-06-24
Last Active2024-12-03
Asterisk AMI Originate Authenticated Remote Code Execution
Posted Dec 3, 2024
Authored by h00die, Brendan Coles | Site metasploit.com

On Asterisk, prior to versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with write=originate may change all configuration files in the /etc/asterisk/ directory. Writing a new extension can be created which performs a system command to achieve RCE as the asterisk service user (typically asterisk). Default parking lot in FreePBX is called "Default lot" on the website interface, however its actually parkedcalls. Tested against Asterisk 19.8.0 and 18.16.0 on Freepbx SNG7-PBX16-64bit-2302-1.

tags | exploit
advisories | CVE-2024-42365
SHA-256 | aaa85ef431233c3a1132d94aecb8ae125513ea2870cf4cccc7e2d15d096664fb
QNX Qconn Command Execution
Posted Sep 12, 2024
Authored by Brendan Coles, Mor!p3r, David Odell | Site metasploit.com

This Metasploit module uses the qconn daemon on QNX systems to gain a shell. The QNX qconn daemon does not require authentication and allows remote users to execute arbitrary operating system commands. This Metasploit module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).

tags | exploit, remote, arbitrary, shell, x86
SHA-256 | 217c97be589524ea77431218332eff5e82efabdd6dfa3503ed0ddab691480814
EasyCafe Server Remote File Access
Posted Sep 1, 2024
Authored by Brendan Coles, R-73eN | Site metasploit.com

This Metasploit module exploits a file retrieval vulnerability in EasyCafe Server. The vulnerability can be triggered by sending a specially crafted packet (opcode 0x43) to the 831/TCP port. This Metasploit module has been successfully tested on EasyCafe Server version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3 and Windows 7 SP1. Note that the server will throw a popup messagebox if the specified file does not exist.

tags | exploit, tcp
systems | windows, xp, 7
SHA-256 | 33d40a2aa040357554a8308847a479cb0f61d14ed8afe5d9bd0a74c18bb67185
ThinVNC Directory Traversal
Posted Sep 1, 2024
Authored by Brendan Coles, WarMarX, jinxbox | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability in ThinVNC versions 1.0b1 and prior which allows unauthenticated users to retrieve arbitrary files, including the ThinVNC configuration file. This Metasploit module has been tested successfully on ThinVNC versions 1.0b1 and "ThinVNC_Latest" (2018-12-07).

tags | exploit, arbitrary
advisories | CVE-2019-17662
SHA-256 | 9f7e4c4546a87e391ac57736315d855264a0c23fffbb62dd4066111164fc5ac9
ManageEngine DeviceExpert User Credentials
Posted Sep 1, 2024
Authored by Brendan Coles, Pedro Ribeiro | Site metasploit.com

This Metasploit module extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior. This Metasploit module has been tested successfully on DeviceExpert version 5.9.7 build 5970.

tags | exploit
advisories | CVE-2014-5377
SHA-256 | 79fe4ba92356fc084ff5c7845a61a883366dba4b943255ae8ace8a852e28608c
Apache Flink JobManager Traversal
Posted Sep 1, 2024
Authored by Brendan Coles, Hoa Nguyen, 0rich1 | Site metasploit.com

This Metasploit module exploits an unauthenticated directory traversal vulnerability in Apache Flink versions 1.11.0 less than or equal to 1.11.2. The JobManager REST API fails to validate user-supplied log file paths, allowing retrieval of arbitrary files with the privileges of the web server user. This Metasploit module has been tested successfully on Apache Flink version 1.11.2 on Ubuntu 18.04.4.

tags | exploit, web, arbitrary
systems | linux, ubuntu
advisories | CVE-2020-17519
SHA-256 | 776647522193812481f55a112c7a98a591a11cb7829c40e7841d4b5813acf9fa
SurgeNews User Credentials
Posted Sep 1, 2024
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in the WebNews web interface of SurgeNews on TCP ports 9080 and 8119 which allows unauthenticated users to download arbitrary files from the software root directory; including the user database, configuration files and log files. This Metasploit module extracts the administrator username and password, and the usernames and passwords or password hashes for all users. This Metasploit module has been tested successfully on SurgeNews version 2.0a-13 on Windows 7 SP 1 and 2.0a-12 on Ubuntu Linux.

tags | exploit, web, arbitrary, root, tcp
systems | linux, windows, ubuntu, 7
SHA-256 | 73764b44f63d2549636f9a072cfc6159cd3fc1782b3972e02ed0b63dd113c7dc
ScadaBR Credentials Dumper
Posted Aug 31, 2024
Authored by Brendan Coles | Site metasploit.com

This Metasploit module retrieves credentials from ScadaBR, including service credentials and unsalted SHA1 password hashes for all users, by invoking the EmportDwr.createExportData DWR method of Mango M2M which is exposed to all authenticated users regardless of privilege level. This Metasploit module has been tested successfully with ScadaBR versions 1.0 CE and 0.9 on Windows and Ubuntu systems.

tags | exploit
systems | linux, windows, ubuntu
SHA-256 | f40596265049d10a36a1005409391f8bea85bf7ec0db2b99e32a83e6d53b79fe
TeamTalk Gather Credentials
Posted Aug 31, 2024
Authored by Brendan Coles | Site metasploit.com

This Metasploit module retrieves user credentials from BearWare TeamTalk. Valid administrator credentials are required. This Metasploit module has been tested successfully on TeamTalk versions 5.2.2.4885 and 5.2.3.4893.

tags | exploit
SHA-256 | 543a575692c7a6d5bf4f81a65d2fe8485849c21c68fc2624a2eb433643de1eb6
Xymon Daemon Gather Information
Posted Aug 31, 2024
Authored by Brendan Coles, Markus Krell | Site metasploit.com

This Metasploit module retrieves information from a Xymon daemon service (formerly Hobbit, based on Big Brother), including server configuration information, a list of monitored hosts, and associated client log for each host. This Metasploit module also retrieves usernames and password hashes from the xymonpasswd config file from Xymon servers before 4.3.25, which permit download arbitrary config files (CVE-2016-2055), and servers configured with ALLOWALLCONFIGFILES enabled.

tags | exploit, arbitrary
advisories | CVE-2016-2055
SHA-256 | 9ee70b9bf9b8edb046baafd8f5faf4f4a2796e5fb36f7a5b908641436a2306ab
DoliWamp jqueryFileTree.php Traversal Gather Credentials
Posted Aug 31, 2024
Authored by Brendan Coles | Site metasploit.com

This Metasploit module will extract user credentials from DoliWamp - a WAMP packaged installer distribution for Dolibarr ERP on Windows - versions 3.3.0 to 3.4.2 by hijacking a users session. DoliWamp stores session tokens in filenames in the tmp directory. A directory traversal vulnerability in jqueryFileTree.php allows unauthenticated users to retrieve session tokens by listing the contents of this directory. Note: All tokens expire after 30 minutes of inactivity by default.

tags | exploit, php
systems | windows
SHA-256 | 343f39a5e75827ba9aafe33c696a34ec5f95c6a3bec54cae7cab8ff77208bdb4
IBM AIX 7.2 inscout Privilege Escalation
Posted May 18, 2023
Authored by Tim Brown, Brendan Coles | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in IBM AIX invscout set-uid root utility present in AIX 7.2 and earlier. The undocumented -rpm argument can be used to install an RPM file; and the undocumented -o argument passes arguments to the rpm utility without validation, leading to command injection with effective-uid root privileges. This module has been tested successfully on AIX 7.2.

tags | exploit, root
systems | aix
advisories | CVE-2023-28528
SHA-256 | f3e0281ebf8cc8be1ea81e0032c40dcbde5f2db791362ec9903abdd761d6ef66
Vagrant Synced Folder Vagrantfile Breakout
Posted Oct 27, 2022
Authored by Brendan Coles, HashiCorp | Site metasploit.com

This Metasploit module exploits a default Vagrant synced folder (shared folder) to append a Ruby payload to the Vagrant project Vagrantfile config file. By default, unless a Vagrant project explicitly disables shared folders, Vagrant mounts the project directory on the host as a writable vagrant directory on the guest virtual machine. This directory includes the project Vagrantfile configuration file. Ruby code within the Vagrantfile is loaded and executed when a user runs any vagrant command from the project directory on the host, leading to execution of Ruby code on the host.

tags | exploit, ruby
SHA-256 | 4aa68ef0141c22e4e2be0cd50c642945c2afd7a94ea98ee68a6375e6bd398e81
Grandstream GXV31XX settimezone Unauthenticated Command Execution
Posted Feb 9, 2022
Authored by Brendan Coles, alhazred, Brendan Scarvell | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Grandstream GXV31XX IP multimedia phones. The settimezone action does not validate input in the timezone parameter allowing injection of arbitrary commands. A buffer overflow in the phonecookie cookie parsing allows authentication to be bypassed by providing an alphanumeric cookie 93 characters in length. This module was tested successfully on Grandstream models: GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.

tags | exploit, overflow, arbitrary
advisories | CVE-2019-10655
SHA-256 | cc41409b8e7ba0962a39d75e4cae7e60ab281dbc2db437a377040c160691840b
QEMU Monitor HMP migrate Command Execution
Posted Feb 8, 2022
Authored by Brendan Coles | Site metasploit.com

This Metasploit module uses QEMU's Monitor Human Monitor Interface (HMP) TCP server to execute system commands using the migrate command. This module has been tested successfully on QEMU version 6.2.0 on Ubuntu 20.04.

tags | exploit, tcp
systems | linux, ubuntu
SHA-256 | 31bb8b20fecf053ea400a06b2e8d39f22d910c3d0025edb6108fcff42b5aa6e0
Grandstream GXV3175 Unauthenticated Command Execution
Posted Jan 20, 2022
Authored by Brendan Coles, alhazred, Brendan Scarvell | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Grandstream GXV3175 IP multimedia phones. The settimezone action does not validate input in the timezone parameter allowing injection of arbitrary commands. A buffer overflow in the phonecookie cookie parsing allows authentication to be bypassed by providing an alphanumeric cookie 93 characters in length. This module was tested successfully on Grandstream GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19.

tags | exploit, overflow, arbitrary
advisories | CVE-2019-10655
SHA-256 | d0fc19a40c910116b96508ffd011c4004a203947a4105f88adf98dfcb129e127
Netfilter x_tables Heap Out-Of-Bounds Write / Privilege Escalation
Posted Oct 7, 2021
Authored by Brendan Coles, Andy Nguyen, Szymon Janusz | Site metasploit.com

A heap out-of-bounds write affecting Linux since version 2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a denial of service (via heap memory corruption) through user name space. Kernels up to and including 5.11 are vulnerable.

tags | exploit, denial of service, kernel
systems | linux
advisories | CVE-2021-22555
SHA-256 | 7caefc49d920cc0b0d58e9ad762b7ffbd02e62e1e3225217c8586f8867ea42e8
Microsoft Windows RRAS Service MIBEntryGet Overflow
Posted Mar 5, 2021
Authored by Brendan Coles, Shadow Brokers, Equation Group, Victor Portal | Site metasploit.com

This Metasploit module exploits an overflow in the Windows Routing and Remote Access Service (RRAS) to execute code as SYSTEM. The RRAS DCERPC endpoint is accessible to unauthenticated users via SMBv1 browser named pipe on Windows Server 2003 and Windows XP hosts; however, this module targets Windows Server 2003 only. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well.

tags | exploit, remote, overflow
systems | windows
advisories | CVE-2017-8461
SHA-256 | 0ae2b9ea7eebb2360a416f9ca767c77a6dbd884480e2109006104ebb2c2a7cb2
Apache Flink JAR Upload Java Code Execution
Posted Feb 23, 2021
Authored by Brendan Coles, bigger.wing, Henry Chen | Site metasploit.com

This Metasploit module uses job functionality in the Apache Flink dashboard web interface to upload and execute a JAR file, leading to remote execution of arbitrary Java code as the web server user. This module has been tested successfully on Apache Flink versions: 1.9.3 on Ubuntu 18.04.4; 1.11.2 on Ubuntu 18.04.4; 1.9.3 on Windows 10; and 1.11.2 on Windows 10.

tags | exploit, java, remote, web, arbitrary
systems | linux, windows, ubuntu
SHA-256 | c4af5d4222df2b897758547790bace5a4fc29668737046e86bcb9bdee4ee6038
Klog Server 2.4.1 Command Injection
Posted Feb 15, 2021
Authored by Brendan Coles, Metin Yunus Kandemir, B3KC4T | Site metasploit.com

This Metasploit module exploits an unauthenticated command injection vulnerability in Klog Server versions 2.4.1 and prior. The authenticate.php file uses the user HTTP POST parameter in a call to the shell_exec() PHP function without appropriate input validation, allowing arbitrary command execution as the apache user.

tags | exploit, web, arbitrary, php
advisories | CVE-2020-35729
SHA-256 | 5ec6676b8d5b72c304f3f383a6b3a1bbcb4df27ceff247690cd2cd511bbf75bb
Aerospike Database UDF Lua Code Execution
Posted Dec 11, 2020
Authored by Brendan Coles, b4ny4n | Site metasploit.com

Aerospike Database versions before 5.1.0.3 permitted user-defined functions (UDF) to call the os.execute Lua function. This Metasploit module creates a UDF utilizing this function to execute arbitrary operating system commands with the privileges of the user running the Aerospike service. This module does not support authentication; however Aerospike Database Community Edition does not enable authentication by default. This module has been tested successfully on Ubuntu with Aerospike Database Community Edition versions 4.9.0.5, 4.9.0.11 and 5.0.0.10.

tags | exploit, arbitrary
systems | linux, ubuntu
advisories | CVE-2020-13151
SHA-256 | 9da6a0d3621953b2fc4709d0b41d45d3637b5f4cbe3f23650d74e4584833bfb6
VyOS restricted-shell Escape / Privilege Escalation
Posted Sep 21, 2020
Authored by Brendan Coles, Rich Mirch | Site metasploit.com

This Metasploit module exploits command injection vulnerabilities and an insecure default sudo configuration on VyOS versions 1.0.0 through 1.1.8 to execute arbitrary system commands as root. VyOS features a restricted-shell system shell intended for use by low privilege users with operator privileges. This module exploits a vulnerability in the telnet command to break out of the restricted shell, then uses sudo to exploit a command injection vulnerability in /opt/vyatta/bin/sudo-users/vyatta-show-lldp.pl to execute commands with root privileges. This module has been tested successfully on VyOS 1.1.8 amd64 and VyOS 1.0.0 i386.

tags | exploit, arbitrary, shell, root, vulnerability
advisories | CVE-2018-18556
SHA-256 | b66d6e6dd1c51b3775727b717e6c2e5f0d992e14e7e7e85bf10477d801697f46
Mida Solutions eFramework ajaxreq.php Command Injection
Posted Sep 16, 2020
Authored by Brendan Coles, elbae | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.

tags | exploit, arbitrary, root, php
advisories | CVE-2020-15920
SHA-256 | 4878a731edc0be4c0ac00692ed93b267a31861eb08b009ecca9a7586cc59c464
FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation
Posted Jul 31, 2020
Authored by Brendan Coles, Andy Nguyen | Site metasploit.com

This Metasploit module exploits a race and use-after-free vulnerability in the FreeBSD kernel IPv6 socket handling. A missing synchronization lock in the IPV6_2292PKTOPTIONS option handling in setsockopt permits racing ip6_setpktopt access to a freed ip6_pktopts struct. This exploit overwrites the ip6po_pktinfo pointer of a ip6_pktopts struct in freed memory to achieve arbitrary kernel read/write.

tags | exploit, arbitrary, kernel
systems | freebsd, bsd
advisories | CVE-2020-7457
SHA-256 | 00b0e1e6a5651af403765318e00556b0c8953f9ef2bbda38acb929b269045b6a
Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation
Posted May 12, 2020
Authored by Brendan Coles, Chris Lyne | Site metasploit.com

Druva inSync client for Windows exposes a network service on TCP port 6064 on the local network interface. inSync versions 6.5.2 and prior do not validate user-supplied program paths in RPC type 5 messages, allowing execution of arbitrary commands as SYSTEM. This Metasploit module has been tested successfully on inSync version 6.5.2r99097 on Windows 7 SP1 (x64).

tags | exploit, arbitrary, local, tcp
systems | windows
advisories | CVE-2019-3999
SHA-256 | 12e3b974b7cb427087439bf5f922afb373bca8c3346525b183f6422b28801319
Page 1 of 5
Back12345Next

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close