| Email address | private |
|---|---|
| First Active | 2011-06-24 |
| Last Active | 2015-10-14 |
This Metasploit module exploits open X11 servers by connecting and registering a virtual keyboard. The virtual keyboard is used to open an xterm or gnome terminal and type and execute the specified payload.
f1b0dc8c62d80ca9fecd0a8689754ee2bccc3af0a2306d4d4f393a3664ca9d0fManageEngine ServiceDesk Plus versions 9.1 build 9110 and below suffer from a path traversal vulnerability.
f8c2df4202c241dffb8fdf7f5b2b23f85c16dc7b6036aaef2466f7f1c632fa98This Metasploit module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6 build 10060 and previous versions. Every authenticated user, including the default "guest" account can execute SQL queries directly on the underlying Postgres database server. The queries are executed as the "postgres" user which has full privileges and thus is able to write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM privileges on the web server. This Metasploit module has been tested successfully on ManageEngine EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.
883715a7f63b19f3be245204a59084b8ad642d1866b7fdd2c6b33080b2dcb675This Metasploit module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which can not be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This Metasploit module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
a79de46e68665e018fab0af3d172ef7ef23237f7ecabbe88fc9626f647f5e3fbManageEngine EventLog Analyzer version 10.6 build 10060 suffers from a SQL query execution vulnerability.
e43184b3c2e6936208082a4f3f3c97ec7847e32991323e490bc64eafefc58612ManageEngine OpManager versions 11.5 and below suffer from SQL query protection bypass and has hard-coded credentials.
14e7eded55b53f71e7a0c1efbb36f40694306d92477d8cda6fe7cfc83868d93eThis Metasploit module exploits VNC servers by sending virtual keyboard keys and executing a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager payload is typed and executed. On Unix/Linux systems a xterm terminal is opened and a payload is typed and executed.
9bf59eca313c1a1ef5835749a4982092d4f8e4d66c21afc1744d5db633d85dedThis Metasploit module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below. The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are insufficient checks on the authentication of all clients, this can be bypassed. Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or SYSTEM privileges. The daemon is installed on both the Arkeia server as well on all the backup clients. The module has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
7b4c0df3265eff7d8bf05b564fe0ba2fea10cec409923415d3a6df2a68832eedWestern Digital Arkeia versions 11.0.12 and below suffer from a ARKFS_EXEC_CMD remote code execution vulnerability.
c31b0bd4a25c328dd90904d7ce8a18f9b755d3576b99e652d4481882d665cadcThis Metasploit module exploits a vulnerability found in SePortal version 2.5. When logging in as any non-admin user, it's possible to retrieve the admin session from the database through SQL injection. The SQL injection vulnerability exists in the "staticpages.php" page. This hash can be used to take over the admin user session. After logging in, the "/admin/downloads.php" page will be used to upload arbitrary code.
523ae89437abd95ee2b8adbfe4b6eb79e71f45e8218d4bcec51f35af6aab99d6Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that allows passwordless authentication to any other DXi box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root.
c044490578edb32019383826af35b916fee53306c749cd979607ab19079e339fThis Metasploit module exploits a default hardcoded private SSH key or default hardcoded login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made by Array Networks. After logged in as the unprivileged user, it's possible to modify the world writable file /ca/bin/monitor.sh with our arbitrary code. Execution of the arbitrary code is possible by using the backend tool, running setuid, to turn the debug monitoring on. This makes it possible to trigger our payload with root privileges.
1fae43950316e011335dde728dbaad51c106df55957d6f35e6a4c67a1ed197aaLoadbalancer.org ships a public/private key pair on Enterprise virtual appliances version 7.5.2 that allows passwordless authentication to any other LB Enterprise box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root.
1d3d72cce85f2a6161145afa314bf22dc05277449623eed73522cb834e16903aThis Metasploit module abuses a backdoor command in vmPRO 3.1.2. Any user, even without admin privileges, can get access to the restricted SSH shell. By using the hidden backdoor "shell-escape" command it's possible to drop to a real root bash shell.
bf8c7b893ced9c9f3bf296ad67951d4d007c88f1b2dea9ebce269ae5b6149708Array Networks vxAG version 9.2.0.34 and vAPV version 8.3.2.17 appliances suffer from poor permissions, default and weak user credentials, and ssh key handling issues.
424281c262881d13818d8b421e2b8079d01b94b35e76add57e3557344aa28c2fQuantum vmPRO versions 3.1.2 and below suffer from a remote shell backdoor command that lets anyone ssh in and escalate to root.
86021585379df42396f7ae8a9afbc5718765133267144a1045108c43792f706fQuantum DXi V1000 versions 2.2.1 and below come with a static private ssh key for the root account that allows you to ssh in as root to any appliance. They also have a static password set for the root user.
877f1687fa1556a8f78682df032fd2305a2fabba64799e8617ecfc6cb1533e4fLoadbalancer.org Enterprise VA versions 7.5.2 and below come with a static public and private key installed for their appliances. When the keys are regenerated, it fails to remove the public key from the authorized_keys2 file, allowing anyone to use the private default key for access.
2f4dfccf5655e5fdfa8f9af30faf107520d3182be78d7c99cf82b293f0d969cdThis Metasploit module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower. It will leverage an unauthenticated command injection in the Anyterm service on port 8023. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1 the user "artica" is not assigned a password by default, which makes it possible to su to this user from the "pandora" user. The "artica" user has access to sudo without a password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0 and lower force a password for the "artica" user during installation.
5ce709b214027d220be47c845fc61a9f62d0ec60d713cac5ac400ec912b76982Pandora FMS versions 5.0RC1 and below suffer from a code execution vulnerability.
2ba4bc2c2183c5acbae565b860f5f9eabe987ba0a399d204e52fc3e2151facf0A10 Networks Loadbalancer versions (Soft)AX 2.6.1-GR1-P5 and below and 2.7.0 build 217 and below suffer from a directory traversal vulnerability.
cd1d7881579b65ddec9b55be9bc64a68cfb6ab226deae42efa4a82f9439a111fManageEngine Support Center Plus versions 7916 and below suffer from a directory traversal vulnerability.
7f3d4cf2f0f2823e532afe04ee4652f5b01e45dec6270e68523714952b7cd42bAanval version 7.1 build 70151 suffers from cross site scripting and remote SQL injection vulnerabilities.
25c6581c50e70623be4df653e794e6218f92804314f2bd7664a2d6b31e5a06b5ZeroShell version 2.0 RC3 suffers from command injection and cross site scripting vulnerabilities.
c6b7a171ee0acfbc63038e7082d14a3c678fc1589e9e4db140b10e4c2c32b948This Metasploit module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain admin access. From an admin session arbitrary PHP code upload is possible. It is used to add the final PHP payload to "/usr/local/astium/web/php/config.php" and execute the "sudo /sbin/service astcfgd reload" command to reload the configuration and achieve remote root code execution.
16cd8b04690fc28db1b8c5c9afdb81554208e84689604fe813314bc4a6e8d476
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed