what you don't know can hurt you
Showing 1 - 25 of 87 RSS Feed

Files from Pedro Ribeiro

Real Nameribeirux
Email addressprivate
First Active2012-08-17
Last Active2022-05-11
View User Profile
Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
Posted May 11, 2022
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.

tags | exploit, overflow, shell, root, shellcode
systems | cisco
advisories | CVE-2022-20699
SHA-256 | 619682621429d96cd23a1e1bcd69a008398c5244223265886c52e2e417242d02
Micro Focus Operations Bridge Reporter Unauthenticated Command Injection
Posted Apr 30, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on login that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. It is a straight up command injection, with little escaping required, and it works before authentication. This module has been tested on the Linux 10.40 version.

tags | exploit
systems | linux
advisories | CVE-2021-22502
SHA-256 | 86c50279de70c09dd3d6cb11b4b245b4e8b6b272a33434965e6bc86812dced42
Micro Focus Operations Bridge Reporter shrboadmin Default Password
Posted Apr 30, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password on Micro Focus Operations Bridge Reporter. The shrboadmin user, installed by default by the product has the password of shrboadmin, and allows an attacker to login to the server via SSH. This module has been tested with Micro Focus Operations Bridge Manager 10.40. Earlier versions are most likely affected too. Note that this is only exploitable in Linux installations.

tags | exploit
systems | linux
advisories | CVE-2020-11857
SHA-256 | f916dce1d07e07e927e2802d2dca83cb6a07b9d397ca34c5d01f9b2245b2667b
Micro Focus Operations Bridge Manager Local Privilege Escalation
Posted Feb 15, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an insecure permission vulnerability on a folder in Micro Focus Operations Bridge Manager. An unprivileged user (such as Guest) can drop a JSP file in an exploded WAR directory and then access it without authentication by making a request to the OBM server. This will result in automatic code execution as SYSTEM. This module has been tested on OBM 2020.05, but it should work out of the box on earlier versions too.

tags | exploit, code execution
advisories | CVE-2020-11858
SHA-256 | 9f7b81606219444bc6266e1abaa5acdb608ceef1654125907f4811cfd79d69d4
Micro Focus Operations Bridge Manager Remote Code Execution
Posted Feb 10, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products: Operations Bridge Manager, Application Performance Management, Data Center Automation, Universal CMDB, Hybrid Cloud Management and Service Management Automation. However, this module was only tested on Operations Bridge Manager. Exploiting this vulnerability will result in remote code execution as the root user on Linux or the SYSTEM user on Windows. Authentication is required as the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module. Any authenticated user can exploit this vulnerability, even the lowest privileged ones.

tags | exploit, java, remote, root, code execution
systems | linux, windows
advisories | CVE-2020-11853
SHA-256 | 13d48a0eedb076ba8ac83405342b8b011a20b72ca2d2e40597629ef5d018cddd
Micro Focus UCMDB Remote Code Execution
Posted Jan 28, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits two vulnerabilities, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, but this module can probably also be used to exploit Operations Bridge Manager (containerized) and Application Performance Management.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2020-11853, CVE-2020-11854
SHA-256 | 59be14dc0b274846876d82ee91afdb255998980f7c79be4eb7f93d0f3ff0e005
Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution
Posted Nov 20, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2020-12027, CVE-2020-12028, CVE-2020-12029
SHA-256 | b5c77494a3939a1827cb333698735a7315890ad559b41cca1a66fcbd96bc0b9e
Inductive Automation Ignition Remote Code Execution
Posted Jun 25, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product, versions 8.0.0 to (and including) 8.0.7. This exploit was tested on versions 8.0.0 and 8.0.7 on both Linux and Windows. The default configuration is exploitable by an unauthenticated attacker, which can achieve remote code execution as SYSTEM on a Windows installation and root on Linux. The vulnerability was discovered and exploited at Pwn2Own Miami 2020 by the Flashback team (Pedro Ribeiro + Radek Domanski).

tags | exploit, java, remote, root, code execution
systems | linux, windows
advisories | CVE-2020-10644, CVE-2020-12004
SHA-256 | 9d49478c9a416ef64a062b712cd22c68e5b37e2e0f0dbc80fc3655a1c2e3d686
NETGEAR R6700v3 Password Reset / Remote Code Execution
Posted Jun 25, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site github.com

This document describes a stack overflow vulnerability that was found in October, 2019 and presented in the Pwn2Own Mobile 2019 competition in November 2019. The vulnerability is present in the UPNP daemon (/usr/sbin/upnpd), running on NETGEAR R6700v3 router with firmware versions V1.0.4.82_10.0.57 and V1.0.4.84_10.0.58. It allows for an unauthenticated reset of the root password and then spawns a telnetd to remotely access the account.

tags | exploit, overflow, root
SHA-256 | 3ccd57c2afc9c37bec7729262aa2b172845c46c639bdb363b6009f40ca166d05
IBM Data Risk Manager 2.0.3 Remote Code Execution
Posted May 5, 2020
Authored by Pedro Ribeiro | Site metasploit.com

IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.

tags | exploit, remote, shell, root, vulnerability, code execution
advisories | CVE-2020-4427, CVE-2020-4428, CVE-2020-4429
SHA-256 | 5e042f223b6191ace28628a3b791fe40265ee2b640aac230d6977add6e767672
IBM Data Risk Manager 2.0.3 Default Password
Posted May 5, 2020
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password in IBM Data Risk Manager. The a3user has the default password idrm and allows an attacker to log in to the virtual appliance via SSH. This can be escalate to full root access, as a3user has sudo access with the default password. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.

tags | exploit, root
advisories | CVE-2020-4429
SHA-256 | 93ca159b01584a7ade8620b17077cdc4619743113ed1b5b8a46d288369f9b00a
IBM Data Risk Manager Authentication Bypass / Command Injection / File Download
Posted Apr 21, 2020
Authored by Pedro Ribeiro

IBM Data Risk Manager suffers from authentication bypass, command injection, insecure default password, and arbitrary file download vulnerabilities.

tags | exploit, arbitrary, vulnerability
SHA-256 | 908bba4718ce4377dfe132da3cc65fb4293985dfdabca1ff566b3deb6b3cc0c5
TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution
Posted Apr 15, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team.

tags | exploit, root
advisories | CVE-2020-10882, CVE-2020-10883, CVE-2020-10884
SHA-256 | 3dee135a8e106fdeab9e4abedc3fa3cc00c9a9cfec03ca0c69bd06e41cc64d93
IBM Cognos TM1 / IBM Planning Analytics Server Configuration Overwrite / Code Execution
Posted Mar 28, 2020
Authored by Pedro Ribeiro, Gareth Batchelor

IBM Cognos TM1 Server / Planning Analytics Server (TM1) suffers from a configuration overwrite vulnerability that can be leveraged to achieve code execution as SYSTEM via TM1 scripting. Extensive research is included in this advisory as well as the Metasploit module.

tags | exploit, code execution
advisories | CVE-2019-4716
SHA-256 | 7adaef0a254ef114813a1fd3002f76240f5426ebf3ada7a99fac67252f614370
Cisco UCS Director Unauthenticated Remote Code Execution
Posted Sep 2, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The Cisco UCS Director virtual appliance contains two flaws that can be combined and abused by an attacker to achieve remote code execution as root. The first one, CVE-2019-1937, is an authentication bypass, that allows the attacker to authenticate as an administrator. The second one, CVE-2019-1936, is a command injection in a password change form, that allows the attacker to inject commands that will execute as root. This module combines both vulnerabilities to achieve the unauthenticated command injection as root. It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.

tags | exploit, remote, root, vulnerability, code execution
systems | cisco
advisories | CVE-2019-1936, CVE-2019-1937
SHA-256 | 88e2661eac6ae7e8e4a10814c6417ce137ece9446d83413cd0c6813936fdb7e1
Cisco UCS Director Default scpuser Password
Posted Sep 2, 2019
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password on Cisco UCS Director. The 'scpuser' has the password of 'scpuser', and allows an attacker to login to the virtual appliance via SSH. This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.

tags | exploit, vulnerability
systems | cisco
advisories | CVE-2019-1935
SHA-256 | 94bda7121e042ee09228bf74bbf6f0d5581de7fd36faaa0ab4e892b49f16f89e
Cisco Data Center Network Manager Unauthenticated Remote Code Execution
Posted Sep 2, 2019
Authored by Pedro Ribeiro | Site metasploit.com

DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).

tags | exploit, remote, root, vulnerability, code execution, info disclosure, file upload
systems | linux
advisories | CVE-2019-1619, CVE-2019-1620, CVE-2019-1622
SHA-256 | 94163d73db872c81ba5ce8506f3d9deded66f21e352e87fbb9269f202301c37e
Cisco UCS / IMC Supervisor Authentication Bypass / Command Injection
Posted Aug 28, 2019
Authored by Pedro Ribeiro

Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data suffer from default password, authentication bypass, and command injection vulnerabilities.

tags | exploit, vulnerability, bypass
systems | cisco
advisories | CVE-2019-1935, CVE-2019-1936, CVE-2019-1937
SHA-256 | 38e7a01258bfec09b0882ac7dbf7cd123357ef8737f810d17b3e0ebf1d0c844e
Cisco Data Center Network Manager 11.1(1) Remote Code Execution
Posted Jul 8, 2019
Authored by Pedro Ribeiro

Cisco Data Center Network Manager (DCNM) versions 11.1(1) and below suffer from authentication bypass, arbitrary file upload, arbitrary file download, and information disclosure vulnerabilities.

tags | exploit, arbitrary, vulnerability, info disclosure, file upload
systems | cisco
advisories | CVE-2019-1619, CVE-2019-1620, CVE-2019-1621, CVE-2019-1622
SHA-256 | dfd36cfbc7507485cec0e3cf8334543371b3ffebfedce49529db5c62ccf35e6c
Cisco Prime Infrastructure Runrshell Privilege Escalation
Posted Jun 19, 2019
Authored by sinn3r, Pedro Ribeiro | Site metasploit.com

This Metasploit modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root.

tags | exploit, shell, root
systems | cisco
SHA-256 | 2c36a878b4e9bd45ad81ca8fb24a7604744f9f005ad314f116c110e64106d9a4
Nuuo Central Management SQL Injection
Posted Feb 21, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xp_cmdshell can be enabled and abused to achieve code execution. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided.

tags | exploit, code execution
advisories | CVE-2018-18982
SHA-256 | 37ab5bd3eec6195dfddf3099592e9cd3aad7e37d04562dd4ebba3cbc36289fe3
Nuuo Central Management Server 2.4 Authenticated Arbitrary File Upload
Posted Feb 20, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the CMS Server. The vulnerability is in the FileName parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. This vulnerability is exploitable in CMS versions up to and including 2.4.

tags | exploit
advisories | CVE-2018-17936
SHA-256 | 6d033ef3029641056b2c16198f8f5b9e4b8492af096081aed986b20a206dd234
Cisco ISE 2.4.0 XSS / Remote Code Execution
Posted Feb 5, 2019
Authored by Pedro Ribeiro, Dominik Czarnota | Site agileinfosec.co.uk

Cisco Identity Services Engine (ISE) version 2.4.0 suffers from cross site scripting, java deserialization, and in conjunction can lead to remote code execution. Full exploit provided.

tags | exploit, java, remote, code execution, xss
systems | cisco
advisories | CVE-2017-5641, CVE-2018-15440
SHA-256 | 58a983e96b653b64c6753866753ad6fb8ddf6684d26a6ed872f1db56982a7a9f
NUUO CMS Session Tokens / Traversal / SQL Injection
Posted Jan 21, 2019
Authored by Pedro Ribeiro

NUUO CMS suffers from directory traversal, predictable session token, unauthenticated remote code execution, and various other vulnerabilities. Multiple metasploit modules included and various versions are affected by the various vulnerabilities.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2018-17888, CVE-2018-17890, CVE-2018-17892, CVE-2018-17894, CVE-2018-17934, CVE-2018-17936, CVE-2018-18982
SHA-256 | 273126839ae6bdeeeeb0b494ac7067a5ea7b4bb5683ea0378c2a64b28c581aee
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Posted Nov 13, 2018
Authored by Pedro Ribeiro | Site metasploit.com

Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. The file upload vulnerability should have been fixed in versions 3.4.1 and 3.3.1 Update 02.

tags | exploit, remote, root, vulnerability, code execution, file upload
systems | cisco
advisories | CVE-2018-15379
SHA-256 | d369d436a86b700503958af590ca11128f061be5032b9413706341e51300f65c
Page 1 of 4
Back1234Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close