what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 223 RSS Feed

Files from H D Moore

Email addresshdm at metasploit.com
First Active1999-08-17
Last Active2018-05-07
Palo Alto Networks readSessionVarsFromFile() Session Corruption
Posted May 7, 2018
Authored by H D Moore, Philip Pettersson | Site metasploit.com

This Metasploit module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory, and finally gains root code execution by exploiting a vulnerable cron script. This Metasploit module uses an initial reverse TLS callback to stage arbitrary payloads on the target appliance. The cron job used for the final payload runs every 15 minutes by default and exploitation can take up to 20 minutes.

tags | exploit, arbitrary, root, vulnerability, code execution
advisories | CVE-2017-15944
SHA-256 | f9f9ce5b8abd0f8306e641f3db279345c840570cf53ebfcf9179efb66f27a90f
GoAhead Web Server LD_PRELOAD Arbitrary Module Load
Posted Jan 24, 2018
Authored by H D Moore, h00die, Daniel Hodson | Site metasploit.com

This Metasploit module triggers an arbitrary shared library load vulnerability in GoAhead web server versions between 2.5 and that have the CGI module enabled.

tags | exploit, web, arbitrary, cgi
advisories | CVE-2017-17562
SHA-256 | bee949e92c0ea2f22d837f57390d8e28e16e861007e5e679292d373e6ac8037a
Samba is_known_pipename() Arbitrary Module Load
Posted May 27, 2017
Authored by H D Moore, Tavis Ormandy, Brendan Coles, steelo | Site metasploit.com

This Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.

tags | exploit, arbitrary
advisories | CVE-2017-7494
SHA-256 | 467d157dc1bbf3f036cc0f63f280fa7c6781fd91ca452708aab53393895c5ba1
Ghostscript 9.21 Type Confusion Arbitrary Command Execution
Posted May 1, 2017
Authored by H D Moore, Atlassian Security Team | Site metasploit.com

This Metasploit module exploits a type confusion vulnerability in Ghostscript that can be exploited to obtain arbitrary command execution. This vulnerability affects Ghostscript versions 9.21 and earlier and can be exploited through libraries such as ImageMagick and Pillow.

tags | exploit, arbitrary
SHA-256 | a27fc20d6d651965282082a1c0885428cca7397e09bbfd29c3bb60a249fb12b3
Advantech Switch Bash Environment Variable Code Injection
Posted Dec 2, 2015
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This Metasploit module targets the 'ping.sh' CGI script, accessible through the Boa web server on Advantech switches. This Metasploit module was tested against firmware version 1322_D1.98.

tags | exploit, web, shell, cgi, bash
advisories | CVE-2014-6271
SHA-256 | 2d07c4e5c3e954a7d9efc2a4e7d397f7e69058ab0c07cd400854d45c65db2f07
Accellion FTA getStatus verify_oauth_token Command Execution
Posted Jul 13, 2015
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a metacharacter shell injection vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'oauth_token' is passed into a system() call within a mod_perl handler. This Metasploit module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on version FTA_9_11_200, but may apply to previous versions as well. This issue was fixed in software update FTA_9_11_210.

tags | exploit, shell
advisories | CVE-2015-2857
SHA-256 | 6469c1b4105f729eff01d7b1743b30cbc9388e3b867763c2295eb78c0197f9dc
Ceragon FibeAir IP-10 SSH Private Key Exposure
Posted Apr 2, 2015
Authored by H D Moore, Tod Beardsley | Site metasploit.com

This Metasploit module exploits the fact that Ceragon ships a public/private key pair on FibeAir IP-10 devices that allows passwordless authentication to any other IP-10 device. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as the "mateidu" user.

tags | exploit, remote
advisories | CVE-2015-0936
SHA-256 | 3ffda87a127eecead37db406771d24d73a3f8fb62c5608cc9113f96992bf3bc3
WordPress cache_lastpostdate Arbitrary Code Execution
Posted Mar 24, 2015
Authored by H D Moore, str0ke | Site metasploit.com

This Metasploit module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected.

tags | exploit, arbitrary, php, code execution
advisories | CVE-2005-2612, OSVDB-18672
SHA-256 | 8029e1794748c6b847a3fcb2ff96b2b28fc0fde9bdbb4d42498a35812e402c16
WordPress W3 Total Cache PHP Code Execution
Posted Mar 24, 2015
Authored by H D Moore, juan vazquez, temp66, Christian Mehlmauer | Site metasploit.com

This Metasploit module exploits a PHP Code Injection vulnerability against WordPress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically find or bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on WordPress must be unchecked for successful exploitation. This Metasploit module has been tested against WordPress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.

tags | exploit, arbitrary, php
systems | linux, ubuntu
advisories | CVE-2013-2010, OSVDB-92652
SHA-256 | bed096490dc9d7e2c3e5ae3b9e8234d981926a7705dfde36023179c919fb54aa
NETGEAR ReadyNAS Perl Code Evaluation
Posted Nov 25, 2013
Authored by H D Moore, juan vazquez, Craig Young | Site metasploit.com

This Metasploit module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The vulnerability exists on the web fronted, specifically on the np_handler.pl component, due to the insecure usage of the eval() perl function. This Metasploit module has been tested successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment, not on real hardware.

tags | exploit, web, perl
advisories | CVE-2013-2751, OSVDB-98826
SHA-256 | bde67c6d5bd2eaadf289392fe66c898b1b40583f113cc479740f75c0912c0b93
Supermicro Onboard IPMI close_window.cgi Buffer Overflow
Posted Nov 17, 2013
Authored by H D Moore, juan vazquez | Site metasploit.com

This Metasploit module exploits a buffer overflow on the Supermicro Onboard IPMI controller web interface. The vulnerability exists on the close_window.cgi CGI application, and is due to the insecure usage of strcpy. In order to get a session, the module will execute system() from libc with an arbitrary CMD payload sent on the User-Agent header. This Metasploit module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214.

tags | exploit, web, overflow, arbitrary, cgi
advisories | CVE-2013-3623
SHA-256 | 3db49add914cadb4e6f7130ba3b4a6a1c8c69c567c9d6a7d82b5980b09616017
Windows SYSTEM Escalation Via KiTrap0D
Posted Nov 14, 2013
Authored by H D Moore, Pusscat, Tavis Ormandy, OJ Reeves | Site metasploit.com

This Metasploit module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll and is not supported on x64 editions of Windows.

tags | exploit, x86
systems | windows
advisories | CVE-2010-0232, OSVDB-61854
SHA-256 | b61f14f2873aa1c647ab01600db74d813ae4c68913ed531266fd588ac8aff25a
MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
Posted Jun 5, 2013
Authored by H D Moore, Dejan Lukan | Site metasploit.com

This Metasploit module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present in the SOAPAction HTTP header handling.

tags | exploit, web, overflow
advisories | CVE-2013-0230, OSVDB-89624
SHA-256 | 399dfaf3edd72eb325ee021863dfd3a6e0d3ef47515d4072e0bc7526808df658
Wordpress W3 Total Cache PHP Code Execution
Posted Apr 29, 2013
Authored by H D Moore, juan vazquez, temp66, Christian Mehlmauer | Site metasploit.com

This Metasploit module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on Wordpress must be unchecked for successful exploitation. This Metasploit module has been tested against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.

tags | exploit, arbitrary, php
systems | linux, ubuntu
advisories | OSVDB-92652
SHA-256 | e5ac9a6fad8c4d6319f7a5b50dd28589a34b1e7d2753c81dd9c0c17b9fb0bb79
UPnP Issue Affects Many Routers
Posted Feb 6, 2013
Authored by H D Moore, Leon Juranic, DefenseCode

A few weeks ago, DefenseCode announced the remote pre-auth root access exploit for Cisco Linksys. During further research, they have discovered that other router manufacturers are also vulnerable to the same vulnerability, since the vulnerable Broadcom UPnP stack is used across multiple router vendors. Rapid7 has produced some scary numbers surrounding how many routers are affected on the Internet.

tags | advisory, remote, root
systems | cisco
SHA-256 | 973bb983a4d13f077857f0d5faee4a6aaf7969bdaa84af71296a5aabd7a67568
Portable UPnP SDK unique_service_name() Remote Code Execution
Posted Feb 5, 2013
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a buffer overflow in the unique_service_name() function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this exploit uses a separate TCP listener to stage the real payload.

tags | exploit, overflow, tcp
advisories | CVE-2012-5858
SHA-256 | a7af761c0a55f9166f6f6555c6b5bf62d458d99f52fd09af4ef8ec52d41ace3b
Ruby On Rails XML Processor YAML Deserialization Code Execution
Posted Jan 11, 2013
Authored by H D Moore, lian, espes, charliesome | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This Metasploit module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

tags | exploit, remote, code execution, ruby
advisories | CVE-2013-0156
SHA-256 | d099a77a1ca32680eece9ad884f4cd0bf31f1df58198575de5142cf570a88342
Apple iOS Default SSH Password
Posted Oct 10, 2012
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits the default credentials of Apple iOS when it has been jailbroken and the passwords for the 'root' and 'mobile' users have not been changed.

tags | exploit, root
systems | apple
SHA-256 | 54dd4f5278bc9c7459a9eb628b204ee6a8e4bb9050d89979261c0c78390b9f3a
phpMyAdmin 3.5.2.2 server_sync.php Backdoor
Posted Sep 26, 2012
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits an arbitrary code execution backdoor placed into phpMyAdmin version 3.5.2.2 through a compromised SourceForge mirror.

tags | exploit, arbitrary, code execution
SHA-256 | 59077add4c187d53c147d92602048e756381c136f672e418d6ccc8272b22fa12
Metasploit Framework 4.4
Posted Jul 17, 2012
Authored by H D Moore | Site metasploit.com

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Changes: 101 modules have been added. Meterpreter has been modernized. Various other improvements.
tags | tool, ruby
systems | unix
SHA-256 | ddcc7890a394d8154120a163c90b11119a0322b62d937ad1a3a14ef3fe6cf74e
RealVNC Authentication Bypass
Posted Aug 26, 2011
Authored by H D Moore, The Light Cosine | Site metasploit.com

This Metasploit module exploits an Authentication Bypass Vulnerability in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy listener on LPORT and proxies to the target server The AUTOVNC option requires that vncviewer be installed on the attacking machine. This option should be disabled for Pro.

tags | exploit, bypass
advisories | CVE-2006-2369, OSVDB-25479
SHA-256 | e04dfdae1c144c55bf3ae60b0db55de39d6d8b5d1ffc4b3506d87fa3c3c8e7c6
Metasploit Framework 4.0.0
Posted Aug 2, 2011
Authored by H D Moore | Site metasploit.com

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Changes: Ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules. 20 new exploits, 3 new auxiliary modules, and 14 new post modules have been added since the last release.
tags | tool, ruby
systems | unix
SHA-256 | 45c3c379ea82e46d8efef9cbbe0afa8ae8df98e50f2642afcea84a86c83c5a50
VSFTPD 2.3.4 Backdoor Command Execution
Posted Jul 4, 2011
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was present in the vsftpd-2.3.4.tar.gz archive sometime before July 3rd 2011.

tags | exploit
SHA-256 | f14b8ca68095714503ea3c35d79fdb14e91c1b1fd6b8214907ec5b6afd7dcf37
Accellion File Transfer Appliance MPIPE2 Command Execution
Posted Mar 14, 2011
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a chain of vulnerabilities in the Accellion File Transfer appliance. This appliance exposes a UDP service on port 8812 that acts as a gateway to the internal communication bus. This service uses Blowfish encryption for authentication, but the appliance ships with two easy to guess default authentication keys. This Metasploit module abuses the known default encryption keys to inject a message into the communication bus. In order to execute arbitrary commands on the remote appliance, a message is injected into the bus destined for the 'matchrep' service. This service exposes a function named 'insert_plugin_meta_info' which is vulnerable to an input validation flaw in a call to system(). This provides access to the 'soggycat' user account, which has sudo privileges to run the primary admin tool as root. These two flaws are fixed in update version FTA_8_0_562.

tags | exploit, remote, arbitrary, root, udp, vulnerability
SHA-256 | adc6990f1cf99e26413f21f398ece6121bbb6179c5ffc9a96eea0dee3107fd02
Metasploit Framework 3.6.0
Posted Mar 7, 2011
Authored by H D Moore | Site metasploit.com

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Changes: This release adds 15 new exploits for a total of 64 new modules since version 3.5.1. Includes Post Exploitation modules that provide local exploits and additional data gathering capabilities.
tags | tool, ruby
systems | unix
SHA-256 | a113cf9e1a499377807990e506acad83afee18845a148a02747087132fac39a7
Page 1 of 9
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close