Email address | private |
---|---|
First Active | 2011-06-24 |
Last Active | 2015-10-14 |
This Metasploit module exploits open X11 servers by connecting and registering a virtual keyboard. The virtual keyboard is used to open an xterm or gnome terminal and type and execute the specified payload.
f1b0dc8c62d80ca9fecd0a8689754ee2bccc3af0a2306d4d4f393a3664ca9d0f
ManageEngine ServiceDesk Plus versions 9.1 build 9110 and below suffer from a path traversal vulnerability.
f8c2df4202c241dffb8fdf7f5b2b23f85c16dc7b6036aaef2466f7f1c632fa98
This Metasploit module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6 build 10060 and previous versions. Every authenticated user, including the default "guest" account can execute SQL queries directly on the underlying Postgres database server. The queries are executed as the "postgres" user which has full privileges and thus is able to write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM privileges on the web server. This Metasploit module has been tested successfully on ManageEngine EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.
883715a7f63b19f3be245204a59084b8ad642d1866b7fdd2c6b33080b2dcb675
This Metasploit module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which can not be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This Metasploit module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
a79de46e68665e018fab0af3d172ef7ef23237f7ecabbe88fc9626f647f5e3fb
ManageEngine EventLog Analyzer version 10.6 build 10060 suffers from a SQL query execution vulnerability.
e43184b3c2e6936208082a4f3f3c97ec7847e32991323e490bc64eafefc58612
ManageEngine OpManager versions 11.5 and below suffer from SQL query protection bypass and has hard-coded credentials.
14e7eded55b53f71e7a0c1efbb36f40694306d92477d8cda6fe7cfc83868d93e
This Metasploit module exploits VNC servers by sending virtual keyboard keys and executing a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager payload is typed and executed. On Unix/Linux systems a xterm terminal is opened and a payload is typed and executed.
9bf59eca313c1a1ef5835749a4982092d4f8e4d66c21afc1744d5db633d85ded
This Metasploit module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below. The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are insufficient checks on the authentication of all clients, this can be bypassed. Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or SYSTEM privileges. The daemon is installed on both the Arkeia server as well on all the backup clients. The module has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
7b4c0df3265eff7d8bf05b564fe0ba2fea10cec409923415d3a6df2a68832eed
Western Digital Arkeia versions 11.0.12 and below suffer from a ARKFS_EXEC_CMD remote code execution vulnerability.
c31b0bd4a25c328dd90904d7ce8a18f9b755d3576b99e652d4481882d665cadc
This Metasploit module exploits a vulnerability found in SePortal version 2.5. When logging in as any non-admin user, it's possible to retrieve the admin session from the database through SQL injection. The SQL injection vulnerability exists in the "staticpages.php" page. This hash can be used to take over the admin user session. After logging in, the "/admin/downloads.php" page will be used to upload arbitrary code.
523ae89437abd95ee2b8adbfe4b6eb79e71f45e8218d4bcec51f35af6aab99d6
Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that allows passwordless authentication to any other DXi box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root.
c044490578edb32019383826af35b916fee53306c749cd979607ab19079e339f
This Metasploit module exploits a default hardcoded private SSH key or default hardcoded login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made by Array Networks. After logged in as the unprivileged user, it's possible to modify the world writable file /ca/bin/monitor.sh with our arbitrary code. Execution of the arbitrary code is possible by using the backend tool, running setuid, to turn the debug monitoring on. This makes it possible to trigger our payload with root privileges.
1fae43950316e011335dde728dbaad51c106df55957d6f35e6a4c67a1ed197aa
Loadbalancer.org ships a public/private key pair on Enterprise virtual appliances version 7.5.2 that allows passwordless authentication to any other LB Enterprise box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root.
1d3d72cce85f2a6161145afa314bf22dc05277449623eed73522cb834e16903a
This Metasploit module abuses a backdoor command in vmPRO 3.1.2. Any user, even without admin privileges, can get access to the restricted SSH shell. By using the hidden backdoor "shell-escape" command it's possible to drop to a real root bash shell.
bf8c7b893ced9c9f3bf296ad67951d4d007c88f1b2dea9ebce269ae5b6149708
Array Networks vxAG version 9.2.0.34 and vAPV version 8.3.2.17 appliances suffer from poor permissions, default and weak user credentials, and ssh key handling issues.
424281c262881d13818d8b421e2b8079d01b94b35e76add57e3557344aa28c2f
Quantum vmPRO versions 3.1.2 and below suffer from a remote shell backdoor command that lets anyone ssh in and escalate to root.
86021585379df42396f7ae8a9afbc5718765133267144a1045108c43792f706f
Quantum DXi V1000 versions 2.2.1 and below come with a static private ssh key for the root account that allows you to ssh in as root to any appliance. They also have a static password set for the root user.
877f1687fa1556a8f78682df032fd2305a2fabba64799e8617ecfc6cb1533e4f
Loadbalancer.org Enterprise VA versions 7.5.2 and below come with a static public and private key installed for their appliances. When the keys are regenerated, it fails to remove the public key from the authorized_keys2 file, allowing anyone to use the private default key for access.
2f4dfccf5655e5fdfa8f9af30faf107520d3182be78d7c99cf82b293f0d969cd
This Metasploit module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower. It will leverage an unauthenticated command injection in the Anyterm service on port 8023. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1 the user "artica" is not assigned a password by default, which makes it possible to su to this user from the "pandora" user. The "artica" user has access to sudo without a password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0 and lower force a password for the "artica" user during installation.
5ce709b214027d220be47c845fc61a9f62d0ec60d713cac5ac400ec912b76982
Pandora FMS versions 5.0RC1 and below suffer from a code execution vulnerability.
2ba4bc2c2183c5acbae565b860f5f9eabe987ba0a399d204e52fc3e2151facf0
A10 Networks Loadbalancer versions (Soft)AX 2.6.1-GR1-P5 and below and 2.7.0 build 217 and below suffer from a directory traversal vulnerability.
cd1d7881579b65ddec9b55be9bc64a68cfb6ab226deae42efa4a82f9439a111f
ManageEngine Support Center Plus versions 7916 and below suffer from a directory traversal vulnerability.
7f3d4cf2f0f2823e532afe04ee4652f5b01e45dec6270e68523714952b7cd42b
Aanval version 7.1 build 70151 suffers from cross site scripting and remote SQL injection vulnerabilities.
25c6581c50e70623be4df653e794e6218f92804314f2bd7664a2d6b31e5a06b5
ZeroShell version 2.0 RC3 suffers from command injection and cross site scripting vulnerabilities.
c6b7a171ee0acfbc63038e7082d14a3c678fc1589e9e4db140b10e4c2c32b948
This Metasploit module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain admin access. From an admin session arbitrary PHP code upload is possible. It is used to add the final PHP payload to "/usr/local/astium/web/php/config.php" and execute the "sudo /sbin/service astcfgd reload" command to reload the configuration and achieve remote root code execution.
16cd8b04690fc28db1b8c5c9afdb81554208e84689604fe813314bc4a6e8d476