exploit the possibilities
Showing 1 - 25 of 78 RSS Feed

Files from Pedro Ribeiro

Real Nameribeirux
Email addressprivate
First Active2012-08-17
Last Active2020-05-05
View User Profile
IBM Data Risk Manager 2.0.3 Remote Code Execution
Posted May 5, 2020
Authored by Pedro Ribeiro | Site metasploit.com

IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.

tags | exploit, remote, shell, root, vulnerability, code execution
advisories | CVE-2020-4427, CVE-2020-4428, CVE-2020-4429
MD5 | 3146f36e720ad41b90d484a8f93fd1de
IBM Data Risk Manager 2.0.3 Default Password
Posted May 5, 2020
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password in IBM Data Risk Manager. The a3user has the default password idrm and allows an attacker to log in to the virtual appliance via SSH. This can be escalate to full root access, as a3user has sudo access with the default password. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.

tags | exploit, root
advisories | CVE-2020-4429
MD5 | 4abe7968c4dd561aa774364411c3b472
IBM Data Risk Manager Authentication Bypass / Command Injection / File Download
Posted Apr 21, 2020
Authored by Pedro Ribeiro

IBM Data Risk Manager suffers from authentication bypass, command injection, insecure default password, and arbitrary file download vulnerabilities.

tags | exploit, arbitrary, vulnerability
MD5 | ec8fbc1af9abc04b69ed7066a766acb9
TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution
Posted Apr 15, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team.

tags | exploit, root
advisories | CVE-2020-10882, CVE-2020-10883, CVE-2020-10884
MD5 | e92df66f65cf2445fb8664db83303e49
IBM Cognos TM1 / IBM Planning Analytics Server Configuration Overwrite / Code Execution
Posted Mar 28, 2020
Authored by Pedro Ribeiro, Gareth Batchelor

IBM Cognos TM1 Server / Planning Analytics Server (TM1) suffers from a configuration overwrite vulnerability that can be leveraged to achieve code execution as SYSTEM via TM1 scripting. Extensive research is included in this advisory as well as the Metasploit module.

tags | exploit, code execution
advisories | CVE-2019-4716
MD5 | d010aadf91fbdd90b9c6b2e2854fbafc
Cisco UCS Director Unauthenticated Remote Code Execution
Posted Sep 2, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The Cisco UCS Director virtual appliance contains two flaws that can be combined and abused by an attacker to achieve remote code execution as root. The first one, CVE-2019-1937, is an authentication bypass, that allows the attacker to authenticate as an administrator. The second one, CVE-2019-1936, is a command injection in a password change form, that allows the attacker to inject commands that will execute as root. This module combines both vulnerabilities to achieve the unauthenticated command injection as root. It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.

tags | exploit, remote, root, vulnerability, code execution
systems | cisco
advisories | CVE-2019-1936, CVE-2019-1937
MD5 | a147290750eba4c14c3f5dfe91e25f2a
Cisco UCS Director Default scpuser Password
Posted Sep 2, 2019
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password on Cisco UCS Director. The 'scpuser' has the password of 'scpuser', and allows an attacker to login to the virtual appliance via SSH. This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.

tags | exploit, vulnerability
systems | cisco
advisories | CVE-2019-1935
MD5 | 119059667e4c122ab82b873c814ccde3
Cisco Data Center Network Manager Unauthenticated Remote Code Execution
Posted Sep 2, 2019
Authored by Pedro Ribeiro | Site metasploit.com

DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).

tags | exploit, remote, root, vulnerability, code execution, info disclosure, file upload
systems | linux
advisories | CVE-2019-1619, CVE-2019-1620, CVE-2019-1622
MD5 | 36ee8d3d9c4f34baf4548adaddbd4e36
Cisco UCS / IMC Supervisor Authentication Bypass / Command Injection
Posted Aug 28, 2019
Authored by Pedro Ribeiro

Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data suffer from default password, authentication bypass, and command injection vulnerabilities.

tags | exploit, vulnerability, bypass
systems | cisco
advisories | CVE-2019-1935, CVE-2019-1936, CVE-2019-1937
MD5 | 1b836f2892c60e53c35da6adba11922e
Cisco Data Center Network Manager 11.1(1) Remote Code Execution
Posted Jul 8, 2019
Authored by Pedro Ribeiro

Cisco Data Center Network Manager (DCNM) versions 11.1(1) and below suffer from authentication bypass, arbitrary file upload, arbitrary file download, and information disclosure vulnerabilities.

tags | exploit, arbitrary, vulnerability, info disclosure, file upload
systems | cisco
advisories | CVE-2019-1619, CVE-2019-1620, CVE-2019-1621, CVE-2019-1622
MD5 | 2bd84aa0b859d4eb5b1a69ff91efea19
Cisco Prime Infrastructure Runrshell Privilege Escalation
Posted Jun 19, 2019
Authored by sinn3r, Pedro Ribeiro | Site metasploit.com

This Metasploit modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root.

tags | exploit, shell, root
systems | cisco
MD5 | ae94bd035bf58e74d4a44904a3f67d25
Nuuo Central Management SQL Injection
Posted Feb 21, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xp_cmdshell can be enabled and abused to achieve code execution. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided.

tags | exploit, code execution
advisories | CVE-2018-18982
MD5 | a6bd69ef31e399150c79831f73918115
Nuuo Central Management Server 2.4 Authenticated Arbitrary File Upload
Posted Feb 20, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the CMS Server. The vulnerability is in the FileName parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. This vulnerability is exploitable in CMS versions up to and including 2.4.

tags | exploit
advisories | CVE-2018-17936
MD5 | e4e890bb6cf5b3d4e9da6e61e9d20a09
Cisco ISE 2.4.0 XSS / Remote Code Execution
Posted Feb 5, 2019
Authored by Pedro Ribeiro, Dominik Czarnota | Site agileinfosec.co.uk

Cisco Identity Services Engine (ISE) version 2.4.0 suffers from cross site scripting, java deserialization, and in conjunction can lead to remote code execution. Full exploit provided.

tags | exploit, java, remote, code execution, xss
systems | cisco
advisories | CVE-2017-5641, CVE-2018-15440
MD5 | fa717428076a044b9b2d005670cbabd5
NUUO CMS Session Tokens / Traversal / SQL Injection
Posted Jan 21, 2019
Authored by Pedro Ribeiro

NUUO CMS suffers from directory traversal, predictable session token, unauthenticated remote code execution, and various other vulnerabilities. Multiple metasploit modules included and various versions are affected by the various vulnerabilities.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2018-17888, CVE-2018-17890, CVE-2018-17892, CVE-2018-17894, CVE-2018-17934, CVE-2018-17936, CVE-2018-18982
MD5 | cdf8d7a388158a049931b16393f4c160
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Posted Nov 13, 2018
Authored by Pedro Ribeiro | Site metasploit.com

Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. The file upload vulnerability should have been fixed in versions 3.4.1 and 3.3.1 Update 02.

tags | exploit, remote, root, vulnerability, code execution, file upload
systems | cisco
advisories | CVE-2018-15379
MD5 | 2c9170145359581c4c8d1c13f564bce3
Cisco Prime Infrastructure Remote Code Execution / Privilege Escalation
Posted Oct 9, 2018
Authored by Pedro Ribeiro

Full write up on the unauthenticated remote code execution and privilege escalation vulnerability in Cisco Prime Infrastructure.

tags | advisory, remote, code execution
systems | cisco
advisories | CVE-2018-15379
MD5 | 463b73ab6b4dc341e0abdb15816e4711
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Posted Oct 8, 2018
Authored by Pedro Ribeiro | Site metasploit.com

Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing.

tags | exploit, remote, root, vulnerability, code execution, file upload
systems | cisco
advisories | CVE-2018-15379
MD5 | 05f34986eb4c21ba7fbb27faa2f9bc8f
IBM QRadar SIEM Unauthenticated Remote Code Execution
Posted Jul 11, 2018
Authored by Pedro Ribeiro | Site metasploit.com

IBM QRadar SIEM has three vulnerabilities in the Forensics web application that when chained together allow an attacker to achieve unauthenticated remote code execution. The first stage bypasses authentication by fixating session cookies. The second stage uses those authenticated sessions cookies to write a file to disk and execute that file as the "nobody" user. The third and final stage occurs when the file executed as "nobody" writes an entry into the database that causes QRadar to execute a shell script controlled by the attacker as root within the next minute. Details about these vulnerabilities can be found in the advisories listed in References. The Forensics web application is disabled in QRadar Community Edition, but the code still works, so these vulnerabilities can be exploited in all flavors of QRadar. This Metasploit module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8 patch 12 and 7.3.1 patch 3 are vulnerable. Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload.

tags | exploit, remote, web, shell, root, vulnerability, code execution
advisories | CVE-2016-9722, CVE-2018-1418, CVE-2018-1612
MD5 | 221b05c8f4d9bb44521c8ebfe10f771d
IBM QRadar SIEM Code Execution / Authentication Bypass
Posted May 29, 2018
Authored by Pedro Ribeiro

IBM QRadar SIEM versions prior to 7.3.1 Patch 3 or 7.2.8 Patch 28 suffer from authentication bypass, code execution, and privilege escalation vulnerabilities.

tags | exploit, vulnerability, code execution
advisories | CVE-2018-1418
MD5 | 0e6ecaa9d4eab8b0a258bb8b10edb984
DrayTek VigorACS 2 Unsafe Flex AMF Java Object Deserialization
Posted Apr 20, 2018
Authored by Pedro Ribeiro

DrayTek Vigor ACS server, a remote enterprise management system for DrayTek routers, uses a vulnerable version of the Adobe / Apache Flex Java library that has a deserialisation vulnerability. This can be exploited by an unauthenticated attacker to achieve remote code execution as root / SYSTEM on all versions until 2.2.2. Exploit code included.

tags | exploit, java, remote, root, code execution
advisories | CVE-2017-5641
MD5 | 4c7d83cfec04d1724b9d118fb3cd42e1
AsusWRT LAN Unauthenticated Remote Code Execution
Posted Feb 23, 2018
Authored by Pedro Ribeiro | Site metasploit.com

The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.

tags | exploit, web, root, udp
advisories | CVE-2018-5999, CVE-2018-6000
MD5 | 0a0cdd7637ea7a4a50df34cad0df396f
BMC Track-It! 11.4 Code Execution / Information Disclosure
Posted Jan 26, 2018
Authored by Pedro Ribeiro

BMC Track-It! version 11.4 suffers from remote code execution and credential disclosure vulnerabilities.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2016-6598, CVE-2016-6599
MD5 | d6507459a64e274eb19ea9d09ebbf627
AsusWRT Router Remote Code Execution
Posted Jan 26, 2018
Authored by Pedro Ribeiro

AsusWRT Router versions prior to 3.0.0.4.380.7743 suffer from an unauthenticated LAN remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2018-5999, CVE-2018-6000
MD5 | 76e861a72a3ce836f6c0b5f6dc36b004
NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow
Posted Mar 24, 2017
Authored by Pedro Ribeiro | Site metasploit.com

The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an unauthenticated attacker has to brute force it. Brute-forcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be brute-forced. This Metasploit module implements both modes, and it works very reliably. It has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware revisions v4 and v3, but this has not been tested - with these routers it might be necessary to adjust the LibcBase variable as well as the gadget addresses.

tags | exploit, overflow
advisories | CVE-2016-10174
MD5 | 620f8fffe7cce1685fc6d76883a8968c
Page 1 of 4
Back1234Next

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    15 Files
  • 4
    Jun 4th
    25 Files
  • 5
    Jun 5th
    8 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close