exploit the possibilities
Showing 1 - 25 of 86 RSS Feed

Files from Pedro Ribeiro

Real Nameribeirux
Email addressprivate
First Active2012-08-17
Last Active2021-04-30
View User Profile
Micro Focus Operations Bridge Reporter Unauthenticated Command Injection
Posted Apr 30, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on login that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. It is a straight up command injection, with little escaping required, and it works before authentication. This module has been tested on the Linux 10.40 version.

tags | exploit
systems | linux
advisories | CVE-2021-22502
MD5 | de81618a686c4953d94e9346e39ba76f
Micro Focus Operations Bridge Reporter shrboadmin Default Password
Posted Apr 30, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password on Micro Focus Operations Bridge Reporter. The shrboadmin user, installed by default by the product has the password of shrboadmin, and allows an attacker to login to the server via SSH. This module has been tested with Micro Focus Operations Bridge Manager 10.40. Earlier versions are most likely affected too. Note that this is only exploitable in Linux installations.

tags | exploit
systems | linux
advisories | CVE-2020-11857
MD5 | 6835c6b65571ba0e4a08f98ac293eea7
Micro Focus Operations Bridge Manager Local Privilege Escalation
Posted Feb 15, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an insecure permission vulnerability on a folder in Micro Focus Operations Bridge Manager. An unprivileged user (such as Guest) can drop a JSP file in an exploded WAR directory and then access it without authentication by making a request to the OBM server. This will result in automatic code execution as SYSTEM. This module has been tested on OBM 2020.05, but it should work out of the box on earlier versions too.

tags | exploit, code execution
advisories | CVE-2020-11858
MD5 | 77f9cc425e34582443acfd2b911fbd17
Micro Focus Operations Bridge Manager Remote Code Execution
Posted Feb 10, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products: Operations Bridge Manager, Application Performance Management, Data Center Automation, Universal CMDB, Hybrid Cloud Management and Service Management Automation. However, this module was only tested on Operations Bridge Manager. Exploiting this vulnerability will result in remote code execution as the root user on Linux or the SYSTEM user on Windows. Authentication is required as the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module. Any authenticated user can exploit this vulnerability, even the lowest privileged ones.

tags | exploit, java, remote, root, code execution
systems | linux, windows
advisories | CVE-2020-11853
MD5 | f6552551b0f335ef518698e89a9caa30
Micro Focus UCMDB Remote Code Execution
Posted Jan 28, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits two vulnerabilities, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, but this module can probably also be used to exploit Operations Bridge Manager (containerized) and Application Performance Management.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2020-11853, CVE-2020-11854
MD5 | d8d775f401a0c6cf7e6ebc24e42124e5
Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution
Posted Nov 20, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2020-12027, CVE-2020-12028, CVE-2020-12029
MD5 | 9e09355c37bbe36767252355895d406c
Inductive Automation Ignition Remote Code Execution
Posted Jun 25, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product, versions 8.0.0 to (and including) 8.0.7. This exploit was tested on versions 8.0.0 and 8.0.7 on both Linux and Windows. The default configuration is exploitable by an unauthenticated attacker, which can achieve remote code execution as SYSTEM on a Windows installation and root on Linux. The vulnerability was discovered and exploited at Pwn2Own Miami 2020 by the Flashback team (Pedro Ribeiro + Radek Domanski).

tags | exploit, java, remote, root, code execution
systems | linux, windows
advisories | CVE-2020-10644, CVE-2020-12004
MD5 | de6af616d3b724854268bccfee1cf557
NETGEAR R6700v3 Password Reset / Remote Code Execution
Posted Jun 25, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site github.com

This document describes a stack overflow vulnerability that was found in October, 2019 and presented in the Pwn2Own Mobile 2019 competition in November 2019. The vulnerability is present in the UPNP daemon (/usr/sbin/upnpd), running on NETGEAR R6700v3 router with firmware versions V1.0.4.82_10.0.57 and V1.0.4.84_10.0.58. It allows for an unauthenticated reset of the root password and then spawns a telnetd to remotely access the account.

tags | exploit, overflow, root
MD5 | 994306f3ed8a91beb01786f127028f55
IBM Data Risk Manager 2.0.3 Remote Code Execution
Posted May 5, 2020
Authored by Pedro Ribeiro | Site metasploit.com

IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.

tags | exploit, remote, shell, root, vulnerability, code execution
advisories | CVE-2020-4427, CVE-2020-4428, CVE-2020-4429
MD5 | 3146f36e720ad41b90d484a8f93fd1de
IBM Data Risk Manager 2.0.3 Default Password
Posted May 5, 2020
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password in IBM Data Risk Manager. The a3user has the default password idrm and allows an attacker to log in to the virtual appliance via SSH. This can be escalate to full root access, as a3user has sudo access with the default password. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.

tags | exploit, root
advisories | CVE-2020-4429
MD5 | 4abe7968c4dd561aa774364411c3b472
IBM Data Risk Manager Authentication Bypass / Command Injection / File Download
Posted Apr 21, 2020
Authored by Pedro Ribeiro

IBM Data Risk Manager suffers from authentication bypass, command injection, insecure default password, and arbitrary file download vulnerabilities.

tags | exploit, arbitrary, vulnerability
MD5 | ec8fbc1af9abc04b69ed7066a766acb9
TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution
Posted Apr 15, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team.

tags | exploit, root
advisories | CVE-2020-10882, CVE-2020-10883, CVE-2020-10884
MD5 | e92df66f65cf2445fb8664db83303e49
IBM Cognos TM1 / IBM Planning Analytics Server Configuration Overwrite / Code Execution
Posted Mar 28, 2020
Authored by Pedro Ribeiro, Gareth Batchelor

IBM Cognos TM1 Server / Planning Analytics Server (TM1) suffers from a configuration overwrite vulnerability that can be leveraged to achieve code execution as SYSTEM via TM1 scripting. Extensive research is included in this advisory as well as the Metasploit module.

tags | exploit, code execution
advisories | CVE-2019-4716
MD5 | d010aadf91fbdd90b9c6b2e2854fbafc
Cisco UCS Director Unauthenticated Remote Code Execution
Posted Sep 2, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The Cisco UCS Director virtual appliance contains two flaws that can be combined and abused by an attacker to achieve remote code execution as root. The first one, CVE-2019-1937, is an authentication bypass, that allows the attacker to authenticate as an administrator. The second one, CVE-2019-1936, is a command injection in a password change form, that allows the attacker to inject commands that will execute as root. This module combines both vulnerabilities to achieve the unauthenticated command injection as root. It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.

tags | exploit, remote, root, vulnerability, code execution
systems | cisco
advisories | CVE-2019-1936, CVE-2019-1937
MD5 | a147290750eba4c14c3f5dfe91e25f2a
Cisco UCS Director Default scpuser Password
Posted Sep 2, 2019
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password on Cisco UCS Director. The 'scpuser' has the password of 'scpuser', and allows an attacker to login to the virtual appliance via SSH. This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.

tags | exploit, vulnerability
systems | cisco
advisories | CVE-2019-1935
MD5 | 119059667e4c122ab82b873c814ccde3
Cisco Data Center Network Manager Unauthenticated Remote Code Execution
Posted Sep 2, 2019
Authored by Pedro Ribeiro | Site metasploit.com

DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).

tags | exploit, remote, root, vulnerability, code execution, info disclosure, file upload
systems | linux
advisories | CVE-2019-1619, CVE-2019-1620, CVE-2019-1622
MD5 | 36ee8d3d9c4f34baf4548adaddbd4e36
Cisco UCS / IMC Supervisor Authentication Bypass / Command Injection
Posted Aug 28, 2019
Authored by Pedro Ribeiro

Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data suffer from default password, authentication bypass, and command injection vulnerabilities.

tags | exploit, vulnerability, bypass
systems | cisco
advisories | CVE-2019-1935, CVE-2019-1936, CVE-2019-1937
MD5 | 1b836f2892c60e53c35da6adba11922e
Cisco Data Center Network Manager 11.1(1) Remote Code Execution
Posted Jul 8, 2019
Authored by Pedro Ribeiro

Cisco Data Center Network Manager (DCNM) versions 11.1(1) and below suffer from authentication bypass, arbitrary file upload, arbitrary file download, and information disclosure vulnerabilities.

tags | exploit, arbitrary, vulnerability, info disclosure, file upload
systems | cisco
advisories | CVE-2019-1619, CVE-2019-1620, CVE-2019-1621, CVE-2019-1622
MD5 | 2bd84aa0b859d4eb5b1a69ff91efea19
Cisco Prime Infrastructure Runrshell Privilege Escalation
Posted Jun 19, 2019
Authored by sinn3r, Pedro Ribeiro | Site metasploit.com

This Metasploit modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root.

tags | exploit, shell, root
systems | cisco
MD5 | ae94bd035bf58e74d4a44904a3f67d25
Nuuo Central Management SQL Injection
Posted Feb 21, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xp_cmdshell can be enabled and abused to achieve code execution. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided.

tags | exploit, code execution
advisories | CVE-2018-18982
MD5 | a6bd69ef31e399150c79831f73918115
Nuuo Central Management Server 2.4 Authenticated Arbitrary File Upload
Posted Feb 20, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the CMS Server. The vulnerability is in the FileName parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. This vulnerability is exploitable in CMS versions up to and including 2.4.

tags | exploit
advisories | CVE-2018-17936
MD5 | e4e890bb6cf5b3d4e9da6e61e9d20a09
Cisco ISE 2.4.0 XSS / Remote Code Execution
Posted Feb 5, 2019
Authored by Pedro Ribeiro, Dominik Czarnota | Site agileinfosec.co.uk

Cisco Identity Services Engine (ISE) version 2.4.0 suffers from cross site scripting, java deserialization, and in conjunction can lead to remote code execution. Full exploit provided.

tags | exploit, java, remote, code execution, xss
systems | cisco
advisories | CVE-2017-5641, CVE-2018-15440
MD5 | fa717428076a044b9b2d005670cbabd5
NUUO CMS Session Tokens / Traversal / SQL Injection
Posted Jan 21, 2019
Authored by Pedro Ribeiro

NUUO CMS suffers from directory traversal, predictable session token, unauthenticated remote code execution, and various other vulnerabilities. Multiple metasploit modules included and various versions are affected by the various vulnerabilities.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2018-17888, CVE-2018-17890, CVE-2018-17892, CVE-2018-17894, CVE-2018-17934, CVE-2018-17936, CVE-2018-18982
MD5 | cdf8d7a388158a049931b16393f4c160
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Posted Nov 13, 2018
Authored by Pedro Ribeiro | Site metasploit.com

Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. The file upload vulnerability should have been fixed in versions 3.4.1 and 3.3.1 Update 02.

tags | exploit, remote, root, vulnerability, code execution, file upload
systems | cisco
advisories | CVE-2018-15379
MD5 | 2c9170145359581c4c8d1c13f564bce3
Cisco Prime Infrastructure Remote Code Execution / Privilege Escalation
Posted Oct 9, 2018
Authored by Pedro Ribeiro

Full write up on the unauthenticated remote code execution and privilege escalation vulnerability in Cisco Prime Infrastructure.

tags | advisory, remote, code execution
systems | cisco
advisories | CVE-2018-15379
MD5 | 463b73ab6b4dc341e0abdb15816e4711
Page 1 of 4
Back1234Next

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close