This Metasploit module has been tested on a Wemo-enabled Crock-Pot, but other Wemo devices are known to be affected, albeit on a different RPORT (49153).
313030894a5a2f95690cc02bc8dcac3485b44c43cb7d61a2f727c2e2876c4867This Metasploit module exploits a SUID installation of the Emacs movemail utility to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local. The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.
9a45ef7c2c0d7e05f3ad54afa5cf8a4f5e411cdd781a161604fbfb0258e39186This Metasploit module exploits sendmail's well-known historical debug mode to escape to a shell and execute commands in the SMTP RCPT TO command. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg. Currently only cmd/unix/reverse and cmd/unix/generic are supported.
1a4e5d53d0016bdb16eb6f683c07b76aba09a90bfa3bac11eb076eeaae1e53efThis Metasploit module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions 9.22.0 and below. Due to a default configuration in Apache 2.3.9+, the widget's .htaccess file may be disabled, enabling exploitation of this vulnerability. This vulnerability has been exploited in the wild since at least 2015 and was publicly disclosed to the vendor in 2018. It has been present since the .htaccess change in Apache 2.3.9. This Metasploit module provides a generic exploit against the jQuery widget.
d34fb14aa9b4338617c18788b969d61c2e2bb73edfa259074f37f0336142d5c4This Metasploit module exploits a stack buffer overflow in fingerd on 4.3BSD. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
5f407350c1d9280dd4c5077754d558bd32be9404ebe5f76676b4a472abb2658dThis Metasploit module exploits a remote code execution vulnerability in Apache Struts versions 2.3 through 2.3.4, and 2.5 through 2.5.16. Remote code execution can be performed via an endpoint that makes use of a redirect action. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.
d4db47de622ab194cae5e05a485e3f4743601277e19a6aa2f5275bcad5350dabThis Metasploit module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore (grestore) in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick, and this module provides the latest vector for Ghostscript.
9a18d75e03ae94b3478787aa8898389327fe3597f03bcf6872c9a239283731aeThis Metasploit module exploits an authentication bypass in .srv functionality and a command injection in parhand to execute code as the root user.
c10f9b22f833b812b5b5320ea587dedf77fe8a60a4a58ddec5548a2ea5fb202dThis Metasploit module exploits a hardcoded service token or default credentials in HPE VAN SDN Controller versions 2.7.18.0503 and below to execute a payload as root. A root command injection was discovered in the uninstall action's name parameter, obviating the need to use sudo for privilege escalation. If the service token option TOKEN is blank, USERNAME and PASSWORD will be used for authentication. An additional login request will be sent.
eea257b390a3b287d462cce58af78297233c499f3594b67b9e26d2aa119c09e9This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable.
d8e06fe66e7a7c70257d472a150741719f1392fb6c548c25bee9d61d4f3a78cdThis Metasploit module sends a magic packet to a NETGEAR device to enable telnetd. Upon successful connect, a root shell should be presented to the user.
de8e2ae5d297bdf918fd4c07ca565a83780eb63b8a40981c118b61d29c59187cThis Metasploit module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function.
cb3ce61975554a3297a24930dd020c04ec845fcbd5d8eef10ec56929627059beApache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a Java deserialization attack in the XStream library.
733707ff1693492ed26a3fc45635dfec661cbb6f0cba034160e94e43f171f6b9This Metasploit module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered Host header, exploitation is limited to the default virtual host, assuming the header isn't mangled in transit. If the target is running Apache 2.2.32 or 2.4.24 and later, the server may have HttpProtocolOptions set to Strict, preventing a Host header containing parens from passing through, making exploitation unlikely.
928eb6125df4b025be7b68270b411eb5dfb58e8b71a32b25b6ed380ce5e0f241This Metasploit module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in Nagios XI <= 5.2.7 to pop a root shell.
7b076eb4c293543ed664b1e38b4942197ec5fe84ee01dda8591020258e48df90This Metasploit module exploits a command injection in Apache Continuum versions 1.4.2 and below. By injecting a command into the installation.varValue POST parameter to /continuum/saveInstallation.action, a shell can be spawned.
cf845d6fbc3b09514ed47ba1ed811ff6c6d343b0941a626f3ff4522492ad83c7This Metasploit module exploits an authentication bypass and arbitrary file upload in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and unknown earlier versions, to upload and execute a JSP shell.
472df2245622a97749e8706f2ba968606decb46822546f51bf7cc6c5391ad65fThis Metasploit module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true. This method is used by the "mf" malware infecting these devices.
bb35dd847b4006bfddf6670aa0099dfa601022d89cda1ae234b032fd32276366This Metasploit module exploits a shell command injection in the way "delegates" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. Tested on Linux, BSD, and OS X. You'll want to choose your payload carefully due to portability concerns. Use cmd/unix/generic if need be.
b4c6b0e7acc235fa1688e82fff7eedb021357977c009bfb8d3faf0171a733bf1This Metasploit module exploits a Perl injection vulnerability in Exim versions prior to 4.86.2 given the presence of the "perl_startup" configuration parameter.
9244d1a56ca1a0b4187fc7d9232dd5485fbbf380c0bdb9f35ea79df0019c335aThis Metasploit module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file upload clobbered the web interface beyond repair. No workaround has been found yet. Use this module at your own risk. No check will be implemented.
f98ee50658aec27fea6e1325e83c5d9c0afefcbe8bf5d2b5dab9fa93e03887b6This Metasploit module exploits a null pointer dereference in XNU to escalate privileges to root. Tested on 10.10.4 and 10.10.5.
96d3d170f08479ec6482a4d97b2fb1ead038f68c3dbe1ed44950f74067f7c452This Metasploit module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed Rootpipe. Tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.
6e27a1e1f2bcf759b740ad9887024027c9c87f0045ced259f32d35e3a7522fe1This Metasploit module exploits a code injection in specially crafted environment variables in Bash, specifically targeting Apache mod_cgi scripts through the HTTP_USER_AGENT variable.
bddccc35d3cda611c86307a7ce0074fc7d74f100f9a6dea0b6e39a478138e054This Metasploit module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.
81d080e43dc83f3e3ee46722a1679f1f403475e40beef0b849082092202ffa5c
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed