This Metasploit module scans for the Juniper SSH backdoor (also valid on Telnet). Any username is required, and the password is <<< %s(un=%s) = %u.
9063c59689446fe07bb9610922c2bca3f2bd26ac97f441441018bc99fbe63a81This Metasploit module takes advantage of a protocol design issue with the Ray Sharp based DVR systems. It is possible to retrieve the username and password through the TCP service running on port 9000. Other brands using this platform and exposing the same issue may include Swann, Lorex, Night Owl, Zmodo, URMET, and KGuard Security.
8805abb547ee0c40d40a8ab15abce346a4a37b8f5ae7b7a9eeac09aa9f1a2cf4This Metasploit module abuses a file exposure vulnerability accessible through the web interface on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker to obtain detailed device information and download data files containing the clear-text usernames and passwords for the controller. In May of 2014, at least 30,000 unique IPs were exposed to the internet with this vulnerability.
1ca6be3bd1442f15e9c436c21eb3f55a0d2466eb4cc5defa624000e1a17d568bThis Metasploit module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the JSON request processor.
170aaef589710c91521601000cb3b478c0e13d9f21b9c95db63d18f83815c46dThis Metasploit module checks for known vulnerabilities in the CGI applications of Supermicro Onboard IPMI controllers. These issues currently include several unauthenticated buffer overflows in the login.cgi and close_window.cgi components.
25146ab0a527b2c20a4d174368a8756c57f0f973644733c599eb8239270f30b0This Metasploit module attempts to login to Chef Web UI server instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It will also test for the default login (admin:p@ssw0rd1).
a8b7ab4052d313ccc873b8bd18d89edbeb3d80da21d867193b4a96625924ef5dThis Metasploit module scans for Intel Active Management Technology endpoints and attempts to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service can be found on ports 16992, 16993 (tls), 623, and 624 (tls).
44deb16ec4e916e220f9f8b37748314f598bae3f65a5268506e4e9c1f53d9a36This Metasploit module exploits a vulnerability in the Cisco IOS HTTP Server. By sending a GET request for "/level/num/exec/..", where num is between 16 and 99, it is possible to bypass authentication and obtain full system control. IOS 11.3 -> 12.2 are reportedly vulnerable. This Metasploit module tested successfully against a Cisco 1600 Router IOS v11.3(11d).
f47c8e7887760a5e15e7ecfe81baff6ced2ddb34267bcb19aff00e68bad4084eThis Metasploit module abuses a directory traversal vulnerability in the url_redirect.cgi application accessible through the web interface of Supermicro Onboard IPMI controllers. The vulnerability is present due to a lack of sanitization of the url_name parameter. This allows an attacker with a valid, but not necessarily administrator-level account, to access the contents of any file on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for all configured accounts. This Metasploit module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and /wsman/simple_auth.passwd.
2a895b9a6c562c00a389ca6061ee3c5d3935d00911eac01555699f44b7a15397This Metasploit module attempts to login to Zabbix server instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It will also test for the Zabbix default login (Admin:zabbix) and guest access.
8ec80a1f70694342132af590c1ad84e293056f1130c804c7df66507954472b12This Metasploit module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the XML request processor.
f0ae12d1945cad391cd044fe41f2338c6b4c2ee245f8e083731f15e17c72fce3This Metasploit module checks for a static SSL certificate shipped with Supermicro Onboard IPMI controllers. An attacker with access to the publicly-available firmware can perform man-in-the-middle attacks and offline decryption of communication to the controller. This Metasploit module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware version SMT_X9_214.
053f49c7ce9d06183e2e95c537afe1b4294edda2d9cae4f58f2050c589d89f5bThis Metasploit module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
8500cf1712e679811989409a7d9e020413fe28dd6b3f573d4069a4bbbf87d3d6This Metasploit module identifies IPMI 2.0-compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.
26e9ad81107fc09e95e82be07f34c04f0ca67ba5b75765817108fcc2774346dfDetermine what users exist via brute force SID lookups. This Metasploit module can enumerate both local and domain accounts by setting ACTION to either LOCAL or DOMAIN.
77cbfc30e62e0670d70f18ccb46be372903ba2631287e724023b2cf89f37795aThis Metasploit module identifies NTP servers which permit "monlist" queries and obtains the recent clients list. The monlist feature allows remote attackers to cause a denial of service (traffic amplification) via spoofed requests. The more clients there are in the list, the greater the amplification.
a5bd2be6d6639dad2ac8a8c5aadde7826dba8b96423872299961fe6135ef827cDetect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd).
801a2a0bc2125f7e99eba56579ca138bcbadf4fa4fc437391f1bcb094a53e493This Metasploit module logs in to SNMP devices using common community names.
c3b32da7b3f73a2695ea0071176d4548e0e31cb363a8d8f25ea7e5071d7511bfThis Metasploit module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in MTF format, which can be extracted by the NTKBUp program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash.
226940d66a9c4cacaf0a73b81c75fdaea375765b84cbee186b391bbf5c6295daThis Metasploit module continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed local networks, the PPSRATE value should be increased to speed up this attack. As an example, a value of around 30,000 is almost 100% successful when spoofing a response for a WPAD lookup. Distant targets may require more time and lower rates for a successful attack.
4c46a17b6b28a0831bd545f008514748b910a2c34d2ae38a4055e1330ff321bcThis Metasploit module is able to predict the next session cookie value issued by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run this module, wait until the real administrator logs in, then specify the predicted cookie value to hijack their session.
28766d01f38ae419f2e9cd76f297d8ac56df2a94fb287f8aae22c02263aa6efaThis Metasploit module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem.
da49454c5f849f765142c42e065734b0088421d4e93444a769a657b11fdb04afThis Metasploit module listens for a NetBIOS name request and then continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed networks, the PPSRATE value should be increased to speed up this attack. As an example, a value of around 30,000 is almost 100% successful when spoofing a response for a WPAD lookup. Distant targets may require more time and lower rates for a successful attack. This Metasploit module works when the target is behind a NAT gateway, since the stream of NetBIOS responses will keep the NAT mapping alive after the initial setup. To trigger the initial NetBIOS request to the Metasploit system, force the target to access a UNC link pointing to the same address (HTML, Office attachment, etc). This NAT-piercing issue was named the BadTunnel vulnerability by the discoverer, Yu Yang (@tombkeeper). The Microsoft patches (MS16-063/MS16-077) impact the way that the proxy host (WPAD) host is identified, but do change the predictability of NetBIOS requests.
d5dfa1bfa123e24ddb241e14436bdef941a832ae76b1f53bde9a4e4f19a2bd81This Metasploit module provides a fake SSL service that is intended to leak memory from client systems as they connect. This Metasploit module is hardcoded for using the AES-128-CBC-SHA1 cipher.
67d783fbcd4cde982f17f891681bce4e4ca4da2877dd80a91e898f0fdbf606eeThis Metasploit module provides a DNS service that redirects all queries to a particular address.
55a9c056ffd07d907378c0f767c8e83a9e26c6deeee3d9f5089ae2c8cdbf1041
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed