what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 83 RSS Feed

Files from h00die

Email addressmike at stcyrsecurity.com
First Active2009-03-09
Last Active2023-09-08
Kibana Timelion Prototype Pollution Remote Code Execution
Posted Sep 8, 2023
Authored by h00die, Gaetan Ferry, Michal Bentkowski | Site metasploit.com

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This leads to an arbitrary command execution with permissions of the Kibana process on the host system. Exploitation will require a service or system reboot to restore normal operation. The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a docker image caused 6 shells.

tags | exploit, arbitrary, shell, javascript, code execution
advisories | CVE-2019-7609
SHA-256 | 218aabf6c87ec8ccc508ad1d2d5d2ca8b265eead008ca12a1926cb66c80614ab
Apache NiFi H2 Connection String Remote Code Execution
Posted Aug 30, 2023
Authored by h00die, Matei Mal Badanoiu | Site metasploit.com

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells (5-7). Successfully tested against Apache nifi 1.17.0 through 1.21.0.

tags | exploit, shell, code execution
advisories | CVE-2023-34468
SHA-256 | 0160a2622a4649020abd8fb0d476ca59d2c4968c668499c8167e44d6c9276020
H2 Web Interface Create Alias Remote Code Execution
Posted Aug 16, 2023
Authored by h00die, gambler, h4ckNinja, Nairuz Abulhul | Site metasploit.com

The H2 database contains an alias function which allows for arbitrary Java code to be used. This functionality can be abused to create an exec functionality to pull our payload down and execute it. H2's web interface contains restricts MANY characters, so injecting a payload directly is not favorable. A valid database connection is required. If the database engine was configured to allow creation of databases, the module default can be used which utilizes an in memory database. Some Docker instances of H2 don't allow writing to folders such as /tmp, so we default to writing to the working directory of the software. This Metasploit module was tested against H2 version 2.1.214, 2.0.204, 1.4.199 (version detection fails).

tags | exploit, java, web, arbitrary
SHA-256 | 07a91f31f74a5616ef0d92c5c535db18babf8aacc5e32f1b0d759b6219544cc8
Metabase Remote Code Execution
Posted Aug 9, 2023
Authored by h00die, Shubham Shah, Maxwell Garrett | Site metasploit.com

Metabase versions before contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6.

tags | exploit, code execution
advisories | CVE-2023-38646
SHA-256 | 0a49c9f4d4d3d065adc61a8d542b1a3379563811b2a4fdfe39b4bc3102f9d059
VMWare Aria Operations For Networks Remote Command Execution
Posted Jul 26, 2023
Authored by h00die, Sina Kheirkhah | Site metasploit.com

VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of root on the appliance. VMWare 6.x version are vulnerable. This Metasploit module exploits the vulnerability to upload and execute payloads gaining root privileges. Successfully tested against version 6.8.0.

tags | exploit, remote, arbitrary, root, code execution
advisories | CVE-2023-20887
SHA-256 | 9a55a0c02bec8e756eeac40f3ab58ccc0499c9bbbde741db5c148ebfa61b29ee
Apache RocketMQ 5.1.0 Arbitrary Code Injection
Posted Jul 7, 2023
Authored by h00die, jheysel-r7, Malayke | Site metasploit.com

RocketMQ versions 5.1.0 and below are vulnerable to arbitrary code injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

tags | exploit, arbitrary, protocol
advisories | CVE-2023-33246
SHA-256 | b33a501b649fb4900d4cb03d01bea674dda00bc78e807afce60061fd47ecfcea
Sudoedit Extra Arguments Privilege Escalation
Posted May 23, 2023
Authored by h00die, Matthieu Barjole, Victor Cutillas | Site metasploit.com

This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package. The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root privileges. Affected versions are 1.8.0 through 1.9.12.p1. However, this module only works against Ubuntu 22.04 and 22.10. This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04 and 1.9.11p3-1ubuntu1 on Ubuntu 22.10.

tags | exploit, arbitrary, local, root
systems | linux, ubuntu
advisories | CVE-2023-22809
SHA-256 | eaefd5435610f2d14b94c9716c1cfacaa1464408e9bb9ca12c02d1fd7cb21f04
Apache Tomcat Privilege Escalation
Posted Mar 14, 2023
Authored by h00die, Dawid Golunski | Site metasploit.com

This Metasploit module exploits a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8. The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage temporary files including their creation. With this weak permission, you are able to inject commands into the systemd-tmpfiles service to write a cron job to execute a payload. systemd-tmpfiles is executed by default on boot on RedHat-based systems through systemd-tmpfiles-setup.service. Depending on the system in use, the execution of systemd-tmpfiles could also be triggered by other services, cronjobs, startup scripts etc. This module was tested against Tomcat 7.0.54-3 on Fedora 21.

tags | exploit
systems | linux, redhat, fedora
advisories | CVE-2016-5425
SHA-256 | 903a0ee785179782b1e32acadddf0c0d236bad5fe9aa7a732795ae129d42f00e
Apache Tomcat On Ubuntu Log Init Privilege Escalation
Posted Feb 6, 2023
Authored by h00die, Dawid Golunski | Site metasploit.com

This Metasploit module targets a vulnerability in Tomcat versions 6, 7, and 8 on Debian-based distributions where these older versions provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account to escalate their privileges from the tomcat user to root and fully compromise the target system.

tags | exploit, local, root
systems | linux, debian
advisories | CVE-2016-1240
SHA-256 | 0ac41921eb75c8008e9f94786db836a9f76e614d54c6925c606eecf1de5fb188
io_uring Same Type Object Reuse Privilege Escalation
Posted Feb 1, 2023
Authored by h00die, Mathias Krause, Ryota Shiga | Site metasploit.com

This Metasploit module exploits a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes. This exploit will spawn SUID programs to get the freed cred object reallocated by a privileged process and abuse them to create a SUID root binary that will pop a shell. The dangling cred pointer will, however, lead to a kernel panic as soon as the task terminates and its credentials are destroyed. We therefore detach from the controlling terminal, block all signals and rest in silence until the system shuts down and we get killed hard, just to cry in vain, seeing the kernel collapse. The bug affected kernels from v5.12-rc3 to v5.14-rc7. More than 1 CPU is required for exploitation. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.

tags | exploit, shell, kernel, root
systems | linux, ubuntu
advisories | CVE-2022-1043
SHA-256 | ddab5b3975fc82e2a23c5e4e05a57af4893abfbc613df02d507c1013c62dc088
vmwgfx Driver File Descriptor Handling Privilege Escalation
Posted Feb 1, 2023
Authored by h00die, Mathias Krause | Site metasploit.com

If the vmwgfx driver fails to copy the fence_rep object to userland, it tries to recover by deallocating the (already populated) file descriptor. This is wrong, as the fd gets released via put_unused_fd() which shouldn't be used, as the fd table slot was already populated via the previous call to fd_install(). This leaves userland with a valid fd table entry pointing to a freed file object. The authors use this bug to overwrite a SUID binary with their payload and gain root. Linux kernel versions 4.14-rc1 - 5.17-rc1 are vulnerable. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.

tags | exploit, kernel, root
systems | linux, ubuntu
advisories | CVE-2022-22942
SHA-256 | 6360a81de99a383330c5955ece5414f2f3b254143f1a5b9246e669769aa929fc
VMware vCenter vScalation Privilege Escalation
Posted Dec 6, 2022
Authored by h00die, Yuval Lazar | Site metasploit.com

This Metasploit module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the cis group to write to the file, which will execute as root on vmware-vmon service restart or host reboot. This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488. Vulnerable versions should include vCenter 7.0 before U2c, vCenter 6.7 before U3o, and vCenter 6.5 before U3q.

tags | exploit, java, root
advisories | CVE-2021-22015
SHA-256 | e5bb28e758144ba8e3fbddf9c9f2df8795ff92df6198a13b91a6aa3fb2f54509
Remote Control Collection Remote Code Execution
Posted Nov 29, 2022
Authored by h00die, H4rk3nz0 | Site metasploit.com

This Metasploit module utilizes the Remote Control Server's protocol to deploy a payload and run it from the server. Remote Control Collection by Steppschuh version was tested and affected at the time of the module writing.

tags | exploit, remote, protocol
SHA-256 | 8ec54480d8b7f9ded99d2b49657f9832dc3a324e3a72069c93377bd06f3766c0
Remote Mouse 4.110 Remote Code Execution
Posted Oct 5, 2022
Authored by h00die, 0rphon, H4rk3nz0 | Site metasploit.com

This Metasploit module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password (default). Tested against 4.110, current at the time of module writing.

tags | exploit, remote, protocol
advisories | CVE-2022-3365
SHA-256 | c755856cc22f5c73769a789fca2bba93c17cf5a3be391dbe30fc988e69e8e0bc
Ubuntu 22.04.1 X64 Desktop Enlightenment 0.25.3-1 Privilege Escalation
Posted Oct 5, 2022
Authored by h00die, Maher Azzouzi | Site metasploit.com

This Metasploit module exploits a command injection within Enlightenment's enlightenment_sys binary. This is done by calling the mount command and feeding it paths which meet all of the system requirements, but execute a specific path as well due to a semi-colon being used. This module was tested on Ubuntu 22.04.1 X64 Desktop with enlightenment 0.25.3-1 (current at module write time).

tags | exploit
systems | linux, ubuntu
advisories | CVE-2022-37706
SHA-256 | 2d952d42924466b709a23b5f40edb0a8dcb5cde23f8d5e429d729b94fe696986
WordPress Elementor 3.6.2 Shell Upload
Posted Oct 4, 2022
Authored by h00die, Ramuel Gall, AkuCyberSec | Site metasploit.com

WordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.

tags | exploit, remote, shell
advisories | CVE-2022-1329
SHA-256 | 0537a61d8c7e168ee93f25ae88cc62b13741cb186c02291ebc2f946f834cd81f
Mobile Mouse Remote Code Execution
Posted Sep 28, 2022
Authored by h00die, Chokri Hammedi | Site metasploit.com

This Metasploit module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password (default). Tested against, the current version at the time of module writing.

tags | exploit, protocol
SHA-256 | 35ce38a49d631a1847c797e9146b16df6ce4723bdc80f1fe1d1a02f833e0ab88
WiFi Mouse Remote Code Execution
Posted Sep 26, 2022
Authored by h00die, H4rk3nz0, RedHatAugust | Site metasploit.com

The WiFi Mouse (Mouse Server) from Necta LLC contains an authentication bypass as the authentication is completely implemented entirely on the client side. By utilizing this vulnerability, is possible to open a program on the server (cmd.exe in our case) and type commands that will be executed as the user running WiFi Mouse (Mouse Server), resulting in remote code execution. Tested against versions (current as of module writing) and

tags | exploit, remote, code execution
advisories | CVE-2022-3218
SHA-256 | a1eb49c803eef32a7d3986d02c20457c3afa4cb25fe942b90918d6d5bcceb6e6
Unified Remote Authentication Bypass / Code Execution
Posted Sep 21, 2022
Authored by h00die, H4rk3nz0 | Site metasploit.com

This Metasploit module utilizes the Unified Remote remote control protocol to type out and deploy a payload. The remote control protocol can be configured to have no passwords, a group password, or individual user accounts. If the web page is accessible, the access control is set to no password for exploitation, then reverted. If the web page is not accessible, exploitation will be tried blindly. This module has been successfully tested against version (50) on Windows 10.

tags | exploit, remote, web, protocol
systems | windows
advisories | CVE-2022-3229
SHA-256 | 6c2eb4ad5b1e41ad931f1a7eef24882ce7a6fe92ea15f97c143643b989a7e758
WordPress Catch Themes Demo Import Shell Upload
Posted Jan 5, 2022
Authored by h00die, Thinkland Security Team, Ron Jost | Site metasploit.com

WordPress Catch Themes Demo Import plugin versions prior to 1.8 suffer from a remote shell upload vulnerability.

tags | exploit, remote, shell
advisories | CVE-2021-39352
SHA-256 | 999305fb949e529f94cd8317c66ad4e660226106492dac5ff2bb180f31a8f911
WordPress Popular Posts 5.3.2 Remote Code Execution
Posted Dec 20, 2021
Authored by h00die, Simone Cristofaro, Jerome Bruandet | Site metasploit.com

This exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080. The FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request for the payload, prior to getting a GET request. This exploit leverages an authenticated improper input validation in WordPress plugin Popular Posts versions 5.3.2 and below. The exploit chain is rather complicated. Authentication is required and gd for PHP is required on the server. Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget. A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once the post hits the top 5, and after a 60 second server cache refresh (the exploit waits 90 seconds), the homepage widget is loaded which triggers the plugin to download the payload from the server. The payload has a GIF header, and a double extension (.gif.php) allowing for arbitrary PHP code to be executed.

tags | exploit, web, arbitrary, php
advisories | CVE-2021-42362
SHA-256 | 90db5fa8de8fdf34a913230d5320fbeba171c2aac53e75371d7b3d5919bde065
WordPress Pie Register Authentication Bypass / Remote Code Execution
Posted Nov 2, 2021
Authored by h00die, Lotfi13-DZ | Site metasploit.com

This Metasploit module uses an authentication bypass vulnerability in Wordpress Pie Register plugin versions and below to generate a valid cookie. With this cookie, hopefully of the admin, it will generate a plugin, pack the payload into it and upload it to a server running WordPress.

tags | exploit, bypass
SHA-256 | 264c63ccfe6e89f9ea56a7b424108e323208432961e4e3c392e667c8ffa32f85
Moodle Admin Shell Upload
Posted Oct 12, 2021
Authored by h00die, Ozkan Mustafa Akkus | Site metasploit.com

This Metasploit module will generate a plugin which can receive a malicious payload request and upload it to a server running Moodle provided valid admin credentials are used. Then the payload is sent for execution, and the plugin uninstalled. You must have an admin account to exploit this vulnerability. Successfully tested against versions 3.6.3, 3.8.0, 3.9.0, 3.10.0, and 3.11.2.

tags | exploit
advisories | CVE-2019-11631
SHA-256 | 8e027d34ac307719476edac910f52b3c1a60df2f19ea4139da74bef6fe99f771
Moodle SpellChecker Path Authenticated Remote Command Execution
Posted Oct 12, 2021
Authored by h00die, Adam Reiser | Site metasploit.com

Moodle allows an authenticated administrator to define spellcheck settings via the web interface. An administrator can update the aspell path to include a command injection. This is extremely similar to CVE-2013-3630, just using a different variable. This Metasploit module was tested against Moodle versions 3.11.2, 3.10.0, and 3.8.0.

tags | exploit, web
advisories | CVE-2021-21809
SHA-256 | 33c8bb6a0f9058457ef9ea11c88cb44a8e6a479225f59eb841f22283ace6b68d
Moodle Teacher Enrollment Privilege Escalation / Remote Code Execution
Posted Oct 12, 2021
Authored by h00die, lanz, HoangKien1020 | Site metasploit.com

Moodle versions 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12, and earlier unsupported versions allow for a teacher to exploit chain to remote code execution. A bug in the privileges system allows a teacher to add themselves as a manager to their own class. They can then add any other users, and thus look to add someone with manager privileges on the system (not just the class). After adding a system manager, a loginas feature is used to access their account. Next the system is reconfigured to allow for all users to install an addon/plugin. Then a malicious theme is uploaded and creates an RCE. If all of that is a success, we revert permissions for managers to system default and remove our malicious theme. Manual cleanup to remove students from the class is required. This Metasploit module was tested against Moodle version 3.9.

tags | exploit, remote, code execution
advisories | CVE-2020-14321
SHA-256 | 205b825b62b384a2d5ae9bd69ed58048fe2f9c7d0177ca1d41a5a492899940b2
Page 1 of 4

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By