Email address | private |
---|---|
First Active | 2011-06-24 |
Last Active | 2015-10-14 |
This Metasploit module exploits open X11 servers by connecting and registering a virtual keyboard. The virtual keyboard is used to open an xterm or gnome terminal and type and execute the specified payload.
dcf4ff0876ffbfe657502dc0c90cd514
ManageEngine ServiceDesk Plus versions 9.1 build 9110 and below suffer from a path traversal vulnerability.
dacb14eb812464766d3272d40a123e3c
This Metasploit module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6 build 10060 and previous versions. Every authenticated user, including the default "guest" account can execute SQL queries directly on the underlying Postgres database server. The queries are executed as the "postgres" user which has full privileges and thus is able to write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM privileges on the web server. This Metasploit module has been tested successfully on ManageEngine EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.
8aa69f01509e92e3e8de9b7ce3fbd570
This Metasploit module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which can not be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This Metasploit module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
7196d924d2204c71ab627c20517c13a1
ManageEngine EventLog Analyzer version 10.6 build 10060 suffers from a SQL query execution vulnerability.
c616c5721bf47eec5844de1c6059886b
ManageEngine OpManager versions 11.5 and below suffer from SQL query protection bypass and has hard-coded credentials.
588a76a8c2bf1619c2305abf7d437cd4
This Metasploit module exploits VNC servers by sending virtual keyboard keys and executing a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager payload is typed and executed. On Unix/Linux systems a xterm terminal is opened and a payload is typed and executed.
84637a25e2b6ddf1b89af18e21eb42cd
This Metasploit module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below. The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are insufficient checks on the authentication of all clients, this can be bypassed. Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or SYSTEM privileges. The daemon is installed on both the Arkeia server as well on all the backup clients. The module has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
ebae27aa7c351921d3e11dbd4a53e360
Western Digital Arkeia versions 11.0.12 and below suffer from a ARKFS_EXEC_CMD remote code execution vulnerability.
c500356f0437fdc6b8b7135c840dbb1c
This Metasploit module exploits a vulnerability found in SePortal version 2.5. When logging in as any non-admin user, it's possible to retrieve the admin session from the database through SQL injection. The SQL injection vulnerability exists in the "staticpages.php" page. This hash can be used to take over the admin user session. After logging in, the "/admin/downloads.php" page will be used to upload arbitrary code.
63435169c72cc2d2e9cc30ef51896580
Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that allows passwordless authentication to any other DXi box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root.
88975f652be0d2e795054295cb884767
This Metasploit module exploits a default hardcoded private SSH key or default hardcoded login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made by Array Networks. After logged in as the unprivileged user, it's possible to modify the world writable file /ca/bin/monitor.sh with our arbitrary code. Execution of the arbitrary code is possible by using the backend tool, running setuid, to turn the debug monitoring on. This makes it possible to trigger our payload with root privileges.
64a30a02142bc1de16e0749225b0ee94
Loadbalancer.org ships a public/private key pair on Enterprise virtual appliances version 7.5.2 that allows passwordless authentication to any other LB Enterprise box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root.
e01474e1689d8e393565267014bdc316
This Metasploit module abuses a backdoor command in vmPRO 3.1.2. Any user, even without admin privileges, can get access to the restricted SSH shell. By using the hidden backdoor "shell-escape" command it's possible to drop to a real root bash shell.
07b55130b9d63fa1f4c280bb1f90fde6
Array Networks vxAG version 9.2.0.34 and vAPV version 8.3.2.17 appliances suffer from poor permissions, default and weak user credentials, and ssh key handling issues.
e68de4bee85b308dcc7bb01dcc55fcb4
Quantum vmPRO versions 3.1.2 and below suffer from a remote shell backdoor command that lets anyone ssh in and escalate to root.
71977649a44253f552fee0162b363b00
Quantum DXi V1000 versions 2.2.1 and below come with a static private ssh key for the root account that allows you to ssh in as root to any appliance. They also have a static password set for the root user.
99c963602d5b101ce619d77f1fe99256
Loadbalancer.org Enterprise VA versions 7.5.2 and below come with a static public and private key installed for their appliances. When the keys are regenerated, it fails to remove the public key from the authorized_keys2 file, allowing anyone to use the private default key for access.
37f891804293f83d99541b90c8134d6d
This Metasploit module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower. It will leverage an unauthenticated command injection in the Anyterm service on port 8023. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1 the user "artica" is not assigned a password by default, which makes it possible to su to this user from the "pandora" user. The "artica" user has access to sudo without a password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0 and lower force a password for the "artica" user during installation.
35d7dfee04901de86a3c3aaf7fa196bf
Pandora FMS versions 5.0RC1 and below suffer from a code execution vulnerability.
d9057714df010cfac019fecec177b539
A10 Networks Loadbalancer versions (Soft)AX 2.6.1-GR1-P5 and below and 2.7.0 build 217 and below suffer from a directory traversal vulnerability.
c2d35e3676966352b7593606a6413280
ManageEngine Support Center Plus versions 7916 and below suffer from a directory traversal vulnerability.
e0428e48a6efb94dfc9652f9aa0ebed2
Aanval version 7.1 build 70151 suffers from cross site scripting and remote SQL injection vulnerabilities.
a86fd138da920f8952a34b05891fce2a
ZeroShell version 2.0 RC3 suffers from command injection and cross site scripting vulnerabilities.
1b886fe089036cb279eae1e1dcf4def1
This Metasploit module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain admin access. From an admin session arbitrary PHP code upload is possible. It is used to add the final PHP payload to "/usr/local/astium/web/php/config.php" and execute the "sudo /sbin/service astcfgd reload" command to reload the configuration and achieve remote root code execution.
432ed72ac7cc26bfbd358d5604b17bd2