accept no compromises
Showing 1 - 25 of 28 RSS Feed

Files from Brendan Coles

Email addressbcoles at gmail.com
First Active2011-06-24
Last Active2017-08-02
Nitro Pro PDF Reader 11.0.3.173 Remote Code Execution
Posted Aug 2, 2017
Authored by mr_me, sinn3r, Brendan Coles | Site metasploit.com

This Metasploit module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro PDF Reader version 11. The saveAs() Javascript API function allows for writing arbitrary files to the file system. Additionally, the launchURL() function allows an attacker to execute local files on the file system and bypass the security dialog Note: This is 100% reliable.

tags | exploit, arbitrary, local, javascript
advisories | CVE-2017-7442
MD5 | 18ea66b3d4ade909dbf22fe503cf7764
VICIdial user_authorization Unauthenticated Command Execution
Posted Jul 22, 2017
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default). When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to exec(). This Metasploit module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.

tags | exploit, web, arbitrary
systems | linux, centos
MD5 | 97f5f8a82932db45a47b13397a65ccd6
Metasploit RPC Console Command Execution
Posted Jul 22, 2017
Authored by Brendan Coles | Site metasploit.com

This Metasploit module connects to a specified Metasploit RPC server and uses the 'console.write' procedure to execute operating system commands. Valid credentials are required to access the RPC interface. This Metasploit module has been tested successfully on Metasploit 4.15 on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit 4.14 on Windows 7 SP1.

tags | exploit
systems | windows, 7
MD5 | b76c5685a0298b752e8aaaf4f214e190
Samba is_known_pipename() Arbitrary Module Load
Posted May 27, 2017
Authored by H D Moore, Tavis Ormandy, Brendan Coles, steelo | Site metasploit.com

This Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.

tags | exploit, arbitrary
advisories | CVE-2017-7494
MD5 | 540c24e5e6cfcfa8e2adea53b8b83491
Serviio Media Server checkStreamUrl Command Execution
Posted May 17, 2017
Authored by LiquidWorm, Brendan Coles | Site metasploit.com

This Metasploit module exploits an unauthenticated remote command execution vulnerability in the console component of Serviio Media Server versions 1.4 to 1.8 on Windows operating systems. The console service (on port 23423 by default) exposes a REST API which which does not require authentication. The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands. This Metasploit module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.

tags | exploit, remote, arbitrary
systems | windows, 7
advisories | OSVDB-41961
MD5 | ab1da9f50ece75772d5c07e501778759
MVPower DVR Shell Unauthenticated Command Execution
Posted Feb 25, 2017
Authored by Brendan Coles, Andrew Tierney, Paul Davies | Site metasploit.com

This Metasploit module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string. This Metasploit module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17). The TV-7108HE model is also reportedly affected, but untested.

tags | exploit, remote, web, arbitrary, shell
MD5 | b943340b352d3992b7f12c896f1c4222
Dell KACE K1000 File Upload
Posted Apr 13, 2016
Authored by Brendan Coles, Bradley Austin | Site metasploit.com

This Metasploit module exploits a file upload vulnerability in Kace K1000 versions 5.0 to 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 which allows unauthenticated users to execute arbitrary commands under the context of the 'www' user. This Metasploit module also abuses the 'KSudoClient::RunCommandWait' function to gain root privileges. This Metasploit module has been tested successfully with Dell KACE K1000 version 5.3.

tags | exploit, arbitrary, root, file upload
MD5 | c04ab65765d94cdc1e56b808b44fc1bc
D-Link DCS-931L Arbitrary File Upload
Posted Jan 6, 2016
Authored by Brendan Coles, J. Rach, Allen Harper, Mike Baucom | Site metasploit.com

This Metasploit module exploits a file upload vulnerability in D-Link DCS-931L network cameras. The setFileUpload functionality allows authenticated users to upload files to anywhere on the file system, allowing system files to be overwritten, resulting in execution of arbitrary commands. This Metasploit module has been tested successfully on a D-Link DCS-931L with firmware versions 1.01_B7 (2013-04-19) and 1.04_B1 (2014-04-21). D-Link DCS-930L, DCS-932L, DCS-933L models are also reportedly affected, but untested.

tags | exploit, arbitrary, file upload
advisories | CVE-2015-2049
MD5 | c004fc97c48c539da2a1404559c5804c
SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
Posted Mar 6, 2014
Authored by Brendan Coles, Mohamed Shetta | Site metasploit.com

This Metasploit module exploits a remote arbitrary file write vulnerability in SolidWorks Workgroup PDM 2014 SP2 and prior. For targets running Windows Vista or newer the payload is written to the startup folder for all users and executed upon next user logon. For targets before Windows Vista code execution can be achieved by first uploading the payload as an exe file, and then upload another mof file, which schedules WMI to execute the uploaded payload. This Metasploit module has been tested successfully on SolidWorks Workgroup PDM 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).

tags | exploit, remote, arbitrary, code execution
systems | windows, xp, vista, 7
MD5 | 616b6529ac383dc0589643283677afc7
Simple E-Document Arbitrary File Upload
Posted Jan 28, 2014
Authored by Brendan Coles, vinicius777 | Site metasploit.com

This Metasploit module exploits a file upload vulnerability found in Simple E-Document versions 3.0 to 3.1. Attackers can bypass authentication and abuse the upload feature in order to upload malicious PHP files which results in arbitrary remote code execution as the web server user. File uploads are disabled by default.

tags | exploit, remote, web, arbitrary, php, code execution, file upload
MD5 | 6673942972dbee1582ce76afa3bf104d
Kimai 0.9.2 db_restore.php SQL Injection
Posted Nov 28, 2013
Authored by Brendan Coles, drone | Site metasploit.com

This Metasploit module exploits a SQL injection vulnerability in Kimai version 0.9.2.x. The 'db_restore.php' file allows unauthenticated users to execute arbitrary SQL queries. This Metasploit module writes a PHP payload to disk if the following conditions are met: The PHP configuration must have 'display_errors' enabled, Kimai must be configured to use a MySQL database running on localhost; and the MySQL user must have write permission to the Kimai 'temporary' directory.

tags | exploit, arbitrary, php, sql injection
MD5 | aec9a8141849e97ce005dc4486ce99e3
ProcessMaker Open Source Authenticated PHP Code Execution
Posted Oct 30, 2013
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a PHP code execution vulnerability in the 'neoclassic' skin for ProcessMaker Open Source which allows any authenticated user to execute PHP code. The vulnerable skin is installed by default in version 2.x and cannot be removed via the web interface.

tags | exploit, web, php, code execution
advisories | OSVDB-99199
MD5 | ecb230017a0837b04f48532b97f21dd3
WebTester 5.x Command Execution
Posted Oct 18, 2013
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a command execution vulnerability in WebTester version 5.x. The 'install2.php' file allows unauthenticated users to execute arbitrary commands in the 'cpusername', 'cppassword' and 'cpdomain' parameters.

tags | exploit, arbitrary, php
MD5 | 5346027be18c609408f729a1a14f0e25
VMware Hyperic HQ Groovy Script-Console Java Execution
Posted Oct 11, 2013
Authored by Brendan Coles | Site metasploit.com

This Metasploit module uses the VMware Hyperic HQ Groovy script console to execute OS commands using Java. Valid credentials for an application administrator user account are required. This Metasploit module has been tested successfully with Hyperic HQ 4.6.6 on Windows 2003 SP2 and Ubuntu 10.04 systems.

tags | exploit, java
systems | linux, windows, ubuntu
MD5 | 3096f632c71fe89a255343816fc50a94
MiniWeb (Build 300) Arbitrary File Upload
Posted Aug 14, 2013
Authored by Akastep, Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in MiniWeb HTTP server (build 300). The software contains a file upload vulnerability that allows an unauthenticated remote attacker to write arbitrary files to the file system. Code execution can be achieved by first uploading the payload to the remote machine as an exe file, and then upload another mof file, which enables WMI (Management Instrumentation service) to execute the uploaded payload. Please note that this module currently only works for Windows before Vista.

tags | exploit, remote, web, arbitrary, code execution, file upload
systems | windows
advisories | OSVDB-92198, OSVDB-92200
MD5 | fa38cf29be5e352355ed7ba6d0f4e3e4
Glossword 1.8.12 Arbitrary File Upload
Posted Feb 26, 2013
Authored by Akastep, Brendan Coles | Site metasploit.com

This Metasploit module exploits a file upload vulnerability in Glossword versions 1.8.8 through 1.8.12 when run as a standalone application. This application has an upload feature that allows an authenticated user with administrator roles to upload arbitrary files to the 'gw_temp/a/' directory.

tags | exploit, arbitrary, file upload
advisories | OSVDB-89960
MD5 | 4f1934a968cdbb5fa314b491cfd0ec99
Kordil EDMS 2.2.60rc3 Arbitrary File Upload
Posted Feb 25, 2013
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in Kordil EDMS version 2.2.60rc3. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the '/kordil_edms/userpictures/' directory.

tags | exploit, arbitrary
MD5 | 33ad49a9cc2ea906a39ccf8cd2cbeb28
ZoneMinder Video Server packageControl Command Execution
Posted Jan 25, 2013
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the 'includes/actions.php' file calls 'exec()' with user controlled data from the 'runState' parameter.

tags | exploit, web, arbitrary, php
MD5 | 8ae47eaf3f2ed29b118391f24caf2d53
eXtplorer 2.1 Arbitrary File Upload
Posted Jan 10, 2013
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in eXtplorer versions 2.1.0 to 2.1.2 and 2.1.0RC5 when run as a standalone application. This application has an upload feature that allows an authenticated user with administrator roles to upload arbitrary files to any writable directory in the web root. This Metasploit module uses an authentication bypass vulnerability to upload and execute a file.

tags | exploit, web, arbitrary, root, bypass
advisories | OSVDB-88751
MD5 | 206ac84e07b867b31abd7f519cbc8697
ZEN Load Balancer Filelog Command Execution
Posted Sep 22, 2012
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in ZEN Load Balancer version 2.0 and 3.0-rc1 which could be abused to allow authenticated users to execute arbitrary code under the context of the 'root' user. The 'content2-2.cgi' file uses user controlled data from the 'filelog' parameter within backticks.

tags | exploit, arbitrary, cgi, root
MD5 | a4735e1bfb0a32b50337c1b4747c24a2
Openfiler 2.x NetworkCard Command Execution
Posted Sep 11, 2012
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in Openfiler version 2.x which could be abused to allow authenticated users to execute arbitrary code under the context of the 'openfiler' user. The 'system.html' file uses user controlled data from the 'device' parameter to create a new 'NetworkCard' object. The class constructor in 'network.inc' calls exec() with the supplied data. The 'openfiler' user may 'sudo /bin/bash' without providing a system password.

tags | exploit, arbitrary, bash
MD5 | 8ca0c4d2ff752b6ac402de55f477e515
WAN Emulator 2.3 Command Execution
Posted Sep 11, 2012
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a command execution vulnerability in WAN Emulator version 2.3 which can be abused to allow unauthenticated users to execute arbitrary commands under the context of the 'www-data' user. The 'result.php' script calls shell_exec() with user controlled data from the 'pc' parameter. This Metasploit module also exploits a command execution vulnerability to gain root privileges. The 'dosu' binary is suid 'root' and vulnerable to command execution in argument one.

tags | exploit, arbitrary, root, php
MD5 | 2c6c13ad4c116a381fd010a1160a9e5a
TestLink 1.9.3 Arbitrary File Upload
Posted Aug 14, 2012
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in TestLink versions 1.9.3 and prior. This application has an upload feature that allows any authenticated user to upload arbitrary files to the '/upload_area/nodes_hierarchy/' directory with a randomized file name. The file name can be retrieved from the database using SQL injection.

tags | exploit, arbitrary, sql injection
MD5 | 5d45fc6e2938c21b4e62206f1750ded1
CuteFlow 2.11.2 Arbitrary File Upload
Posted Jul 27, 2012
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in CuteFlow version 2.11.2 or prior. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the 'upload/___1/' directory and then execute it.

tags | exploit, arbitrary
MD5 | 22b6219aee828f29e8809b75f2c45aa5
Useresponse 1.0.2 Backdoor / CSRF / Code Execution
Posted Jun 15, 2012
Authored by mr_me, Brendan Coles

Useresponse versions 1.0.2 and below suffer from a backdoor account, cross site request forgery, and code execution vulnerabilities. Full exploit provided.

tags | exploit, vulnerability, code execution, csrf
MD5 | 3cb07be99b770e3bdcc4c51f7729baa7
Page 1 of 2
Back12Next

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close