exploit the possibilities
Showing 1 - 15 of 15 RSS Feed

Files from Erik Wynter

First Active2020-03-03
Last Active2021-04-21
Nagios XI 5.7.3 Remote Code Execution
Posted Apr 21, 2021
Authored by Chris Lyne, Erik Wynter | Site metasploit.com

This Metasploit module exploits an OS command injection vulnerability in includes/components/nxti/index.php that enables an authenticated user with admin privileges to achieve remote code execution as the apache user. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios XI 5.7.3 running on CentOS 7.

tags | exploit, remote, php, code execution
systems | linux, osx, centos
advisories | CVE-2020-5792
MD5 | 2df6940f1d406eb594bb234456e3e6f5
Nagios XI 5.7.3 Remote Code Execution
Posted Apr 19, 2021
Authored by Chris Lyne, Matthew Aberegg, Erik Wynter | Site metasploit.com

This Metasploit module exploits CVE-2020-5791, an OS command injection vulnerability on Nagios XI versions 5.6.0 through 5.7.3 in admin/mibs.php that enables an authenticated user with admin privileges to achieve remote code execution as either the apache user or the www-data user.

tags | exploit, remote, php, code execution
advisories | CVE-2020-5791
MD5 | 639bef5044c0f11d63a9c893409809f3
Nagios XI Remote Code Execution
Posted Apr 15, 2021
Authored by Haboob Team, Erik Wynter | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the /admin/monitoringplugins.php page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the apache user by uploading a malicious plugin. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both running on CentOS 7.

tags | exploit, remote, php, code execution
systems | linux, osx, centos
advisories | CVE-2020-35578
MD5 | 91ac1437912ce19fca5580399b1f6625
Nagios XI getprofile.sh Remote Command Execution
Posted Apr 14, 2021
Authored by Erik Wynter, Jak Gibb | Site metasploit.com

This Metasploit module exploits a vulnerability in the getprofile.sh script of Nagios XI versions prior to 5.6.6 in order to upload a malicious check_ping plugin and thereby execute arbitrary commands. For Nagios XI 5.2.0 through 5.4.13, the commands are run as the nagios user. For versions 5.5.0 through 5.6.5, the commands are run as root. Note that versions prior to 5.2.0 will still be marked as being vulnerable however this module does not presently support exploiting these targets. The module uploads a malicious check_ping plugin to the Nagios XI server via /admin/monitoringplugins.php and then executes this plugin by issuing a HTTP GET request to download a system profile from the server. For all supported targets except Linux (cmd), the module uses a command stager to write the exploit to the target via the malicious plugin. This may not work if Nagios XI is running in a restricted Unix environment, so in that case the target must be set to Linux (cmd). The module then writes the payload to the malicious plugin while avoiding commands that may not be supported. Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.3.0 and Nagios 5.6.5, both running on CentOS 7. For vulnerable versions before 5.5.0, it may take a significant amount of time for the payload to get back (up to 5 minutes). If exploitation fails against an older system, it is recommended to increase the WfsDelay setting (default is 300 seconds).

tags | exploit, web, arbitrary, root, php
systems | linux, unix, osx, centos
advisories | CVE-2019-15949
MD5 | c535c12509a747d756650bedc5b31fca
Windows Server 2012 SrClient DLL Hijacking
Posted Mar 15, 2021
Authored by Erik Wynter | Site metasploit.com

All editions of Windows Server 2012 (but not 2012 R2) are vulnerable to DLL hijacking due to the way TiWorker.exe will try to call the non-existent SrClient.dll file when Windows Update checks for updates. This issue can be leveraged for privilege escalation if %PATH% includes directories that are writable by low-privileged users. The attack can be triggered by any low-privileged user and does not require a system reboot. This module has been successfully tested on Windows Server 2012 (x64).

tags | exploit
systems | windows
MD5 | c4ac29a19692bb467138f3a9bd636a4e
FlexDotnetCMS 1.5.8 Arbitrary ASP File Upload
Posted Dec 8, 2020
Authored by Erik Wynter | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in FlexDotnetCMS versions 1.5.8 and prior in order to execute arbitrary commands with elevated privileges.

tags | exploit, arbitrary, file upload
advisories | CVE-2020-27386
MD5 | 49d8406c21ab8ebe76041ae803166693
HorizontCMS 1.0.0-beta Shell Upload
Posted Nov 13, 2020
Authored by Erik Wynter | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta in order to execute arbitrary commands. The module first attempts to authenticate to HorizontCMS. It then tries to upload a malicious PHP file via an HTTP POST request to /admin/file-manager/fileupload. The server will rename this file to a random string. The module will therefore attempt to change the filename back to the original name via an HTTP POST request to /admin/file-manager/rename. For the php target, the payload is embedded in the uploaded file and the module attempts to execute the payload via an HTTP GET request to /storage/file_name.

tags | exploit, web, arbitrary, php, file upload
advisories | CVE-2020-27387
MD5 | b1586e133ec28d35e83ec172e95fe1d0
MaraCMS 7.5 Remote Code Execution
Posted Sep 28, 2020
Authored by Erik Wynter, Michele Cisternino | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in MaraCMS versions 7.5 and below in order to execute arbitrary commands. The module first attempts to authenticate to MaraCMS. It then tries to upload a malicious PHP file to the web root via an HTTP POST request to codebase/handler.php. If the php target is selected, the payload is embedded in the uploaded file and the module attempts to execute the payload via an HTTP GET request to this file. For the linux and windows targets, the module uploads a simple PHP web shell. Subsequently, it leverages the CmdStager mixin to deliver the final payload via a series of HTTP GET requests to the PHP web shell. Valid credentials for a MaraCMS admin or manager account are required. This module has been successfully tested against MaraCMS 7.5 running on Windows Server 2012 (XAMPP server).

tags | exploit, web, arbitrary, shell, root, php, file upload
systems | linux, windows
advisories | CVE-2020-25042
MD5 | f3fcdcf0924156e882b29740d16480f8
ZenTao Pro 8.8.2 Remote Code Execution
Posted Jul 22, 2020
Authored by Daniel Monzon, Erik Wynter, Melvin Boers | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in ZenTao Pro 8.8.2 and earlier versions in order to execute arbitrary commands with SYSTEM privileges. Valid credentials for a ZenTao admin account are required. This module has been successfully tested against ZenTao 8.8.1 and 8.8.2 running on Windows 10 (XAMPP server).

tags | exploit, arbitrary
systems | windows
advisories | CVE-2020-7361
MD5 | 0c709d672ec84543f14645bf7ef4cccb
Pandora FMS 7.0 NG 7XX Remote Command Execution
Posted Jul 11, 2020
Authored by Fernando Catoira, Erik Wynter, Julio Sanchez | Site metasploit.com

This Metasploit module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in th e Events feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the target parameter in HTTP POST requests to the Events function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the target parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple grep command on the plaintext /var/www/html/pandora_console/include/config.php file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).

tags | exploit, web, arbitrary, shell, local, php
systems | linux, centos
advisories | CVE-2020-13851
MD5 | f5291266eaebb8b290e3a0b7e6659455
ATutor 2.2.4 Directory Traversal / Remote Code Execution
Posted Jun 30, 2020
Authored by liquidsky, Erik Wynter | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability together with a directory traversal flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in order to execute arbitrary commands.

tags | exploit, arbitrary, file upload
advisories | CVE-2019-12169
MD5 | 09ec42ff94266d8b91d8385b7c530d7b
Bolt CMS 3.7.0 Authenticated Remote Code Execution
Posted Jun 29, 2020
Authored by r3m0t3nu11, Erik Wynter, Sivanesh Ashok | Site metasploit.com

This Metasploit module exploits multiple vulnerabilities in Bolt CMS version 3.7.0 and 3.6.x in order to execute arbitrary commands as the user running Bolt. Valid credentials for a Bolt CMS user are required. This module has been successfully tested against Bolt CMS 3.7.0 running on CentOS 7.

tags | exploit, arbitrary, vulnerability
systems | linux, centos
MD5 | 0e1891b316c1ddb10007d34437171dba
Nagios XI Authenticated Remote Command Execution
Posted Mar 10, 2020
Authored by Erik Wynter, Jak Gibb | Site metasploit.com

This Metasploit module exploits a vulnerability in Nagios XI versions before 5.6.6 in order to execute arbitrary commands as root. The module uploads a malicious plugin to the Nagios XI server and then executes this plugin by issuing an HTTP GET request to download a system profile from the server. For all supported targets except Linux (cmd), the module uses a command stager to write the exploit to the target via the malicious plugin. This may not work if Nagios XI is running in a restricted Unix environment, so in that case the target must be set to Linux (cmd). The module then writes the payload to the malicious plugin while avoiding commands that may not be supported. Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.6.5 running on CentOS 7. The module may behave differently against older versions of Nagios XI.

tags | exploit, web, arbitrary, root
systems | linux, unix, osx, centos
advisories | CVE-2019-15949
MD5 | 27aeb9dcadc656869ca4d5c1b08a9963
Apache ActiveMQ 5.11.1 Directory Traversal / Shell Upload
Posted Mar 5, 2020
Authored by David Jorm, Erik Wynter | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ versions 5.x before 5.11.2 for Windows. The module tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ credentials admin:admin (or other credentials provided by the user). It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell.

tags | exploit, web, shell
systems | windows
advisories | CVE-2015-1830
MD5 | d70509a7229f04053ab2e6c54f80f4a5
EyesOfNetwork AutoDiscovery Target Command Execution
Posted Mar 3, 2020
Authored by Brendan Coles, Clement Billac, Erik Wynter | Site metasploit.com

This Metasploit module exploits multiple vulnerabilities in EyesOfNetwork version 5.3 and prior in order to execute arbitrary commands as root. This module takes advantage of a command injection vulnerability in the target parameter of the AutoDiscovery functionality within the EON web interface in order to write an Nmap NSE script containing the payload to disk. It then starts an Nmap scan to activate the payload. This results in privilege escalation because the apache user can execute Nmap as root. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via two methods, i.e. by generating an API access token based on a hard-coded key, and via SQL injection. This module has been successfully tested on EyesOfNetwork 5.3 with API version 2.4.2.

tags | exploit, web, arbitrary, root, vulnerability, sql injection
advisories | CVE-2020-8654, CVE-2020-8655, CVE-2020-8656, CVE-2020-8657
MD5 | 3a699f2aa100664503fd2a6553c99d29
Page 1 of 1
Back1Next

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    26 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    2 Files
  • 9
    May 9th
    2 Files
  • 10
    May 10th
    13 Files
  • 11
    May 11th
    17 Files
  • 12
    May 12th
    22 Files
  • 13
    May 13th
    11 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close