This Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.
619682621429d96cd23a1e1bcd69a008398c5244223265886c52e2e417242d02
This Metasploit module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category.
b5c77494a3939a1827cb333698735a7315890ad559b41cca1a66fcbd96bc0b9e
This Metasploit module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product, versions 8.0.0 to (and including) 8.0.7. This exploit was tested on versions 8.0.0 and 8.0.7 on both Linux and Windows. The default configuration is exploitable by an unauthenticated attacker, which can achieve remote code execution as SYSTEM on a Windows installation and root on Linux. The vulnerability was discovered and exploited at Pwn2Own Miami 2020 by the Flashback team (Pedro Ribeiro + Radek Domanski).
9d49478c9a416ef64a062b712cd22c68e5b37e2e0f0dbc80fc3655a1c2e3d686
This document describes a stack overflow vulnerability that was found in October, 2019 and presented in the Pwn2Own Mobile 2019 competition in November 2019. The vulnerability is present in the UPNP daemon (/usr/sbin/upnpd), running on NETGEAR R6700v3 router with firmware versions V1.0.4.82_10.0.57 and V1.0.4.84_10.0.58. It allows for an unauthenticated reset of the root password and then spawns a telnetd to remotely access the account.
3ccd57c2afc9c37bec7729262aa2b172845c46c639bdb363b6009f40ca166d05
This Metasploit module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team.
3dee135a8e106fdeab9e4abedc3fa3cc00c9a9cfec03ca0c69bd06e41cc64d93