| Real Name | Darren Martyn |
|---|---|
| Email address | private |
| Website | insecurety.net |
| First Active | 2011-11-16 |
| Last Active | 2019-01-23 |
This Metasploit module attempts to gain root privileges on Linux systems using setuid executables compiled with AddressSanitizer (ASan). ASan configuration related environment variables are permitted when executing setuid executables built with libasan. The log_path option can be set using the ASAN_OPTIONS environment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user. This module uploads a shared object and sprays symlinks to overwrite /etc/ld.so.preload in order to create a setuid root shell.
0e6f740ce9bc200d846f84b085e1b15b388b872a85100b6499f36331dcd60d30xorg-x11-server versions prior to 1.20.3 local root exploit.
04fb5107a3446c9f4277d7db1e505e471ef5b483f8fd1dad9ec5583b8566c268This script exploits er, unsanitized env var passing in ASAN which leads to file clobbering as root when executing setuid root binaries compiled with ASAN. It uses an overwrite of /etc/ld.so.preload to get root on a vulnerable system. You can supply your own target binary to use for exploitation.
3f14643d1c039904bc9db24702fe18f67c6de2c6f848f3e50ab2d61c07de8423Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command injection. This vulnerability was used from the so called "TheMoon" worm. There are many Linksys systems that might be vulnerable including E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900. This Metasploit module was tested successfully against an E1500 v1.0.5.
8562df406cf3a664284fb32daf860dcc7c4a95b65db2f358b2abed16cc85d646Proof of concept exploit used by the recent Linksys worm (known as "Moon"). Exploits blind command injection in tmUnblock.cgi.
ae7d5127e7b3b8fa46d888c48b1a569122f9a4eb074e9be265ffb8853f9989d3This small python script scans for a number of variations on the PHP-CGI remote code execution vulnerability, includes "apache magica" and plesk paths, along with other misconfigurations.
78e9601c9d4667d30bde2edbe6d0b41d7549713beeeda32559e31be022767d22This code abuses PJL functionality on HP network printers to print documents and also change the "ReadyMessage". Useful for avoiding printer payment systems in universities. Scan for port 9100 to find printers.
0cfc418101360d5c0f8ce242ec0a13b08842bfc2efb02f687606c41de85db95fThis exploit leverages an eval() bug in the PHP Charts library allowing for remote code execution. A reverse shell is delivered using Perl.
029603a16bd1c86cec4981c7cc5216c1aedd6bad4d2e981fafffc02c8f122825Exploit for the PHP-CGI argument injection vulnerability disclosed in 2012. Has file uploading, inline shell spawning, and both python and perl reverse shell implementations using an earlier version of the "payload" library written for such exploits.
e1af41b9b973cb570db69238e6f14f4459e72926e687318f078562f00ce29e0fLotusCMS version 3.0 remote PHP code execution exploit as disclosed in 2011. It spawns a reverse shell.
56acf18780a5602a4ab5e831ef3c7a6cfef83560842950e615cae1fc4847bc4bThis is a reverse shell over SCTP implemented in Python. Currently it does not use SSL, but may evade most firewalls and IDS devices as many of them seemingly have no rules in place to check SCTP traffic.
6743f69ce173275310d5f2ffe1d1a49e6786c7abd202da271f4e6f25bd156590Reliable exploit for the Plesk PHP code injection vulnerability disclosed by Kingcope in June 2013. Can deliver inline and reverse shells using the payloads library, as well as offering (buggy) file upload features.
b76333a40c15eeb1e6e0fe351ee9f933ff24a237da980ed7dc853fd2e1f0d52cThis is a simple PHP backdoor using HTTP headers to inject the code as opposed to a GET or POST variable. Uses the fictional "Code: " header as an example, for learning purposes. This is not production code.
397d3f851a08bef7d13138eedf2b87ab8e732b35f14514f58a2162c103188aabMemcached denial of service exploit for an issue disclosed on their bugtracker two years ago and was never patched.
814e65638843b38bd9fd9f0e2304a82c68628fa8c903a54aaec2025d9de659fcPHPkit is a simple PHP based backdoor, leveraging include() and php://input to allow the attacker to execute arbitrary PHP code on the infected server. The actual backdoor contains no suspicious calls such as eval() or system(), as the PHP code is executed in memory by include().
9ae6f1db9ff8c94146491368c999d0b4d6a0a9cfe7316a6f72a899025250bf36This is a simple utility for exploiting command injection vulnerabilities in web applications. Supports POST and GET requests. Can deliver an "inline shell" or a (python) reverse shell.
2c82dcde1a7835fac49946c2d7c022271f0105c0e8c280133632994e909508cdThis exploit demonstrates the remote root vulnerability discovered by Michael Messner in D-Link DIR-300 and DIR-600 devices.
838e77a770f310592d0086570fd3486761116a8c97ae1aa49719f77441d5b192This is a small proof of concept tool that leverages the data:// stream to gain remote code execution from a file inclusion vulnerability.
c8c8bbfa963434111dffb850c77790720a4f7b2c74f7310ff876ccea44eb66f6PHPkit is a simple PHP based backdoor, leveraging include() and php://input to allow the attacker to execute arbitrary PHP code on the infected server. The actual backdoor contains no suspicious calls such as eval() or system(), as the PHP code is executed in memory by include().
3078b9daa99d887414dbe12584cdafa91a5f3554f05f8ad34cdf5d3ffe218a26PHPkit is a simple PHP based backdoor, leveraging include() and php:// input to allow the attacker to execute arbitrary PHP code on the infected server. The actual backdoor contains no suspicious calls such as eval() or system(), as the PHP code is executed in memory by include(). Includes a simple python client that gives a "shell" on the server.
a0b89f7413840636a73320699e779bec747d2127f4e7880708cb96dae4596056This exploits abuses an argument injection in the PHP-CGI wrapper to execute code as the PHP user/webserver user.
3eec4f2609dbad6e788f030ac2d9d162c3f1d0f995cfc76d077850a4c0c1bcdcPHPTax versions 0.8 and below remote code execution exploit. Written in Python.
86294030fd719aa799ec672577b9d00f4cb5ff09a5e758f0b04271418448dd6aIn certain versions of the DM FileManager Wordpress Plugin, the security_file parameter does not correctly check the source of a file before including it, leading to a remote file inclusion vulnerability that can be leveraged to gain remote code execution.
41fbdd0b4c17113fac05e11bebc41175e9551ce9772141ef01a6e7e1db1f5db0Zabbix version 1.6.2 suffers from a code execution vulnerability.
86f3d883d617a5ae5377c71678d17a1db0b1cf46e8c15b15457abc89b6a8e4b7Xoops version 2.3.2 suffers from a remote code execution vulnerability in the mydirname parameter.
ea1f08a5a265d8abd6a9171f572dfdaf10a138346ebc32742bbe81fdb47d184e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed