Twenty Year Anniversary
Showing 1 - 25 of 60 RSS Feed

Files from Pedro Ribeiro

Real Nameribeirux
Email addressprivate
First Active2012-08-17
Last Active2018-07-11
View User Profile
IBM QRadar SIEM Unauthenticated Remote Code Execution
Posted Jul 11, 2018
Authored by Pedro Ribeiro | Site metasploit.com

IBM QRadar SIEM has three vulnerabilities in the Forensics web application that when chained together allow an attacker to achieve unauthenticated remote code execution. The first stage bypasses authentication by fixating session cookies. The second stage uses those authenticated sessions cookies to write a file to disk and execute that file as the "nobody" user. The third and final stage occurs when the file executed as "nobody" writes an entry into the database that causes QRadar to execute a shell script controlled by the attacker as root within the next minute. Details about these vulnerabilities can be found in the advisories listed in References. The Forensics web application is disabled in QRadar Community Edition, but the code still works, so these vulnerabilities can be exploited in all flavors of QRadar. This Metasploit module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8 patch 12 and 7.3.1 patch 3 are vulnerable. Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload.

tags | exploit, remote, web, shell, root, vulnerability, code execution
advisories | CVE-2016-9722, CVE-2018-1418, CVE-2018-1612
MD5 | 221b05c8f4d9bb44521c8ebfe10f771d
IBM QRadar SIEM Code Execution / Authentication Bypass
Posted May 29, 2018
Authored by Pedro Ribeiro

IBM QRadar SIEM versions prior to 7.3.1 Patch 3 or 7.2.8 Patch 28 suffer from authentication bypass, code execution, and privilege escalation vulnerabilities.

tags | exploit, vulnerability, code execution
advisories | CVE-2018-1418
MD5 | 0e6ecaa9d4eab8b0a258bb8b10edb984
DrayTek VigorACS 2 Unsafe Flex AMF Java Object Deserialization
Posted Apr 20, 2018
Authored by Pedro Ribeiro

DrayTek Vigor ACS server, a remote enterprise management system for DrayTek routers, uses a vulnerable version of the Adobe / Apache Flex Java library that has a deserialisation vulnerability. This can be exploited by an unauthenticated attacker to achieve remote code execution as root / SYSTEM on all versions until 2.2.2. Exploit code included.

tags | exploit, java, remote, root, code execution
advisories | CVE-2017-5641
MD5 | 4c7d83cfec04d1724b9d118fb3cd42e1
AsusWRT LAN Unauthenticated Remote Code Execution
Posted Feb 23, 2018
Authored by Pedro Ribeiro | Site metasploit.com

The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.

tags | exploit, web, root, udp
advisories | CVE-2018-5999, CVE-2018-6000
MD5 | 0a0cdd7637ea7a4a50df34cad0df396f
BMC Track-It! 11.4 Code Execution / Information Disclosure
Posted Jan 26, 2018
Authored by Pedro Ribeiro

BMC Track-It! version 11.4 suffers from remote code execution and credential disclosure vulnerabilities.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2016-6598, CVE-2016-6599
MD5 | d6507459a64e274eb19ea9d09ebbf627
AsusWRT Router Remote Code Execution
Posted Jan 26, 2018
Authored by Pedro Ribeiro

AsusWRT Router versions prior to 3.0.0.4.380.7743 suffer from an unauthenticated LAN remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2018-5999, CVE-2018-6000
MD5 | 76e861a72a3ce836f6c0b5f6dc36b004
NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow
Posted Mar 24, 2017
Authored by Pedro Ribeiro | Site metasploit.com

The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an unauthenticated attacker has to brute force it. Brute-forcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be brute-forced. This Metasploit module implements both modes, and it works very reliably. It has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware revisions v4 and v3, but this has not been tested - with these routers it might be necessary to adjust the LibcBase variable as well as the gadget addresses.

tags | exploit, overflow
advisories | CVE-2016-10174
MD5 | 620f8fffe7cce1685fc6d76883a8968c
TrueOnline / ZyXEL P660HN-T v2 Router Authenticated Command Injection
Posted Feb 1, 2017
Authored by Pedro Ribeiro | Site metasploit.com

TrueOnline is a major ISP in Thailand, and it distributes a customized version of the ZyXEL P660HN-T v2 router. This customized version has an authenticated command injection vulnerability in the remote log forwarding page. This can be exploited using the "supervisor" account that comes with a default password on the device. This Metasploit module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as to the Metasploit project. Note that the inline payloads work best. There are Turkish and other language strings in the firmware, so it is likely that this firmware is not only distributed in Thailand. Other P660HN-T v2 in other countries might be vulnerable too.

tags | exploit, remote
MD5 | 5144d45c548229d7ab14cb1798aacdb3
TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection
Posted Feb 1, 2017
Authored by Pedro Ribeiro | Site metasploit.com

TrueOnline is a major ISP in Thailand, and it distributes a customized version of the Billion 5200W-T router. This customized version has at least two command injection vulnerabilities, one authenticated and one unauthenticated, on different firmware versions. This Metasploit module will attempt to exploit the unauthenticated injection first, and if that fails, it will attempt to exploit the authenticated injection. This Metasploit module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as to the Metasploit project. There are other language strings in the firmware, so it is likely that this firmware is not only distributed in Thailand. Other Billion 5200W-T in other countries might be vulnerable too.

tags | exploit, vulnerability
MD5 | a23cc92232428177c4f3ec4f89a7822d
TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection
Posted Feb 1, 2017
Authored by Pedro Ribeiro | Site metasploit.com

TrueOnline is a major ISP in Thailand, and it distributes a customised version of the ZyXEL P660HN-T v1 router. This customised version has an unauthenticated command injection vulnerability in the remote log forwarding page. This Metasploit module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as to the Metasploit project. There are other language strings in the firmware, so it is likely that this firmware is not only distributed in Thailand. Other P660HN-T v1 in other countries might be vulnerable too.

tags | exploit, remote
MD5 | dd4213c7e16f8b71eda3aa6be42156f4
TrueOnline ZyXEL / Billion Command Injection / Default Credentials
Posted Jan 17, 2017
Authored by Pedro Ribeiro

TrueOnline is a Thai ISP that distributes customized versions of ZyXEL and Billion routers - customized with vulnerabilities that is. The routers contain several default administrative accounts and command injections that can be abused by authenticated and unauthenticated attackers.

tags | exploit, vulnerability
MD5 | d49de80d7e395e6a46e6479d644ea66f
Netgear WNR2000 Remote Code Execution
Posted Dec 21, 2016
Authored by Pedro Ribeiro

Netgear WNR2000 suffers from a remote code execution vulnerability and various other security issues.

tags | exploit, remote, code execution
advisories | CVE-2016-10175, CVE-2016-10176, CVE-2016-10174
MD5 | c796a4c7e2b080855fb0e6456b4b3a6c
Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow
Posted Nov 21, 2016
Authored by Pedro Ribeiro | Site metasploit.com

Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and this vulnerability is present in both MIPS and ARM devices. The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a few load and store instructions. Because of this the payloads have to be sent unencoded, which can cause them to fail, although the bind shell seems to work well. For the ARM devices, the inline reverse tcp seems to work best. Check the reference links to see the vulnerable firmware versions.

tags | exploit, overflow, shell, tcp, protocol
advisories | CVE-2016-6563
MD5 | dd3ba90a3c8d9aee1a73c5d68572d159
D-Link DIR Routers HNAP Login Stack Buffer Overflow
Posted Nov 8, 2016
Authored by Pedro Ribeiro

A stack buffer overflow affects several D-Link routers and can be exploited by an unauthenticated attacker. The interesting thing about this vulnerability is that it affects both ARM and MIPS devices, so exploitation is slightly different for each type.

tags | advisory, overflow
advisories | CVE-2016-6563
MD5 | d3a085c7858b7b0de7bb572e6ea818f9
WebNMS Framework Server 5.2 Arbitrary File Upload
Posted Aug 12, 2016
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to upload text files by using a directory traversal attack on the FileUploadServlet servlet. A JSP file can be uploaded that then drops and executes a malicious payload, achieving code execution under the user which the WebNMS server is running. This Metasploit module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.

tags | exploit, code execution
systems | linux, windows
MD5 | 603fc189cd0d143b775250d52f85f13d
NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Unauthenticated Remote Code Execution
Posted Aug 11, 2016
Authored by Pedro Ribeiro | Site metasploit.com

The NVRmini 2 Network Video Recorder and the ReadyNAS Surveillance application are vulnerable to an unauthenticated remote code execution on the exposed web administration interface. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.

tags | exploit, remote, web, root, code execution
advisories | CVE-2016-5674
MD5 | d40e6b7096ec53c035171a4378040b94
NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution
Posted Aug 11, 2016
Authored by Pedro Ribeiro | Site metasploit.com

The NVRmini 2 Network Video Recorder, Crystal NVR and the ReadyNAS Surveillance application are vulnerable to an authenticated remote code execution on the exposed web administration interface. An administrative account is needed to exploit this vulnerability. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been tested on several versions of the NVRmini 2, Crystal and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.

tags | exploit, remote, web, root, code execution
advisories | CVE-2016-5675
MD5 | d61e75ee975d366c5637cabef3503939
WebNMS Framework 5.2 SP1 Traversal / Weak Obfuscation / User Impersonation
Posted Aug 8, 2016
Authored by Pedro Ribeiro

WebNMS Framework versions 5.2 and 5.2 SP1 suffer from directory traversal, code execution, weak obfuscation, and user impersonation vulnerabilities.

tags | exploit, vulnerability, code execution
advisories | CVE-2016-6600, CVE-2016-6601, CVE-2016-6602, CVE-2016-6603
MD5 | 9ffda3b41068196845e0fd2a8bebd824
NUUO NVRmini2 / NVRsolo / Crystal And NETGEAR ReadyNAS Code Execution
Posted Aug 4, 2016
Authored by Pedro Ribeiro

NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS suffer from multiple security issues that result in remote code execution, backdoor access, buffer overflow, and various other vulnerabilities.

tags | exploit, remote, overflow, vulnerability, code execution
advisories | CVE-2016-5674, CVE-2016-5675, CVE-2016-5676, CVE-2016-5677, CVE-2016-5678, CVE-2016-5679, CVE-2016-5680
MD5 | f350ea6228b354cd0f926e9dd1d7e81b
Novell ServiceDesk Authenticated File Upload
Posted Apr 18, 2016
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an authenticated arbitrary file upload via directory traversal to execute code on the target. It has been tested on versions 6.5 and 7.1.0, in Windows and Linux installations of Novell ServiceDesk, as well as the Virtual Appliance provided by Novell.

tags | exploit, arbitrary, file upload
systems | linux, windows
advisories | CVE-2016-1593
MD5 | d722296cd47cfba9661f305b5965b0a7
Novell Service Desk 7.1.0 Code Execution / Information Disclosure
Posted Apr 11, 2016
Authored by Pedro Ribeiro

Novell Service Desk versions 7.1.0 and below suffer from code execution, information disclosure, cross site scripting, remote file upload, HQL injection, and traversal vulnerabilities.

tags | exploit, remote, vulnerability, code execution, xss, info disclosure, file upload
advisories | CVE-2016-1593, CVE-2016-1594, CVE-2016-1595, CVE-2016-1596
MD5 | 96ca11a4d3ed6007f2182749ed202e09
NETGEAR ProSafe Network Management System 300 Arbitrary File Upload
Posted Feb 29, 2016
Authored by Pedro Ribeiro | Site metasploit.com

Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file upload vulnerability that can be exploited by an unauthenticated remote attacker to execute code as the SYSTEM user. Two servlets are vulnerable, FileUploadController (located at /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do). This Metasploit module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.

tags | exploit, remote, file upload
systems | windows
advisories | CVE-2016-1525
MD5 | 3d6c659220bc9733c182c19629aadafe
Netgear Pro NMS 300 Code Execution / File Download
Posted Feb 7, 2016
Authored by Pedro Ribeiro

Netgear Pro NMS 300 suffers from code execution and arbitrary file download vulnerabilities.

tags | exploit, arbitrary, vulnerability, code execution
advisories | CVE-2016-1524, CVE-2016-1525
MD5 | 3de869c425374fa1cc4b6e40d4c8a965
ManageEngine ServiceDesk Plus Arbitrary File Upload
Posted Oct 8, 2015
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits a file upload vulnerability in ManageEngine ServiceDesk Plus. The vulnerability exists in the FileUploader servlet which accepts unauthenticated file uploads. This Metasploit module has been tested successfully on versions v9 b9000 - b9102 in Windows and Linux. The MSP versions do not expose the vulnerable servlet.

tags | exploit, file upload
systems | linux, windows
MD5 | 5382da1d82ea16f8ac9e643c4b7104c2
ManageEngine ServiceDesk File Upload / Code Execution
Posted Oct 5, 2015
Authored by Pedro Ribeiro

ManageEngine ServiceDesk allows for remote code execution via an arbitrary file upload vulnerability. Builds prior to 9103 are affected.

tags | exploit, remote, arbitrary, code execution, file upload
MD5 | a3b912e40243bbda29c463be690630dc
Page 1 of 3
Back123Next

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    29 Files
  • 20
    Sep 20th
    18 Files
  • 21
    Sep 21st
    5 Files
  • 22
    Sep 22nd
    2 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close