This Metasploit module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions prior to 5.2-5967-5, which allows the execution of arbitrary commands under root privileges after website authentication. The vulnerability is located in webman/modules/StorageManager/smart.cgi, which allows appending of a command to the device to be scanned. However, the command with drive is limited to 30 characters. A somewhat valid drive name is required, thus /dev/sd is used, even though it does not exist. To circumvent the character restriction, a wget input file is staged in /a, and executed to download our payload to /b. From there the payload is executed. A wfsdelay is required to give time for the payload to download, and the execution of it to run.
22368ec0c59933bee5ea858b6786d568816185b770ebf924813f131d442f27ea
This Metasploit module exploits a command execution in Pi-Hole versions 4.4 and below. A new blocklist is added, and then an update is forced (gravity) to pull in the blocklist content. PHP content is then written to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporter, effectively running a privilege escalation. Phase 2 writes our payload to teleporter.php, overwriting the content. Lastly, the phase 1 PHP file is called in the web root, which launches our payload in teleporter.php with root privileges.
e9e23eb75325d3d113b4298300162d67296d9023cbe19ae5f2709a0a7cace534
This Metasploit module is an exploit that takes advantage of xglance-bin, part of HP's Glance (or Performance Monitoring) version 11 and subsequent, which was compiled with an insecure RPATH option. The RPATH includes a relative path to -L/lib64/ which can be controlled by a user. Creating libraries in this location will result in an escalation of privileges to root.
d8c4bb35d621bfc8cf65e13632145031a44e20cc02cc3e3045d3ba14a00ed48b
This Metasploit module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem.
35beb1c34e027f9d421ede75729e5e7beba074f5f51a57859dc43ca3b58045a3
This Metasploit module exploits an improper use of setuid binaries within VMware Fusion versions 10.1.3 through 11.5.3. The Open VMware USB Arbitrator Service can be launched outside of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home directory in a specific folder, and creating a hard link to the Open VMware USB Arbitrator Service binary, we are able to launch it temporarily to start our payload with an effective UID of 0.
aaad84a1a18f4d6b57a25d43ba08582ab6803df92a1e0f17d5239252a6bec296
This Metasploit exploit module illustrates how a vulnerability could be exploited in a webapp.
d9287566557239fe81ea0d9ff5e76e38c47a4198c98143517d6bcf331026e3b2
This Metasploit exploit module illustrates how a vulnerability could be exploited in a linux command for privilege escalation.
5895c8d694381770d42d72e5b1a37fafc160bc89dd618ab5781e03a052bb8ddd
This Metasploit module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable. Payload handler is disabled, and a multi/handler must be started first.
07dfdc4313d8080e07f5b2661f0494022dcf8b3a5afcb2da795fd921a4b33c84
This Metasploit module exploits a command injection vulnerability in Apache Tika versions 1.15 through 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic byte checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for arbitrary JScript to execute. A JScript stub is passed to execute arbitrary code. This module was verified against version 1.15 through 1.17 on Windows 2012. While the CVE and finding show more versions vulnerable, during testing it was determined only versions greater than 1.14 were exploitable due to jp2 support being added.
1d10dcd077954ec22984a947fb2e56ca4e13c135682dadd44362021acac47063
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the localhost by dropping a python script on the local file system. Unitrends stopped bpserverd from listening remotely on version 10.
78074b1701e40ea4ef9e046d50ffaa646aa27cf4177d6b17c6371f5f32a674b7
The imap_open function within PHP, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.
5db80502619550a84a9d8068ff710ec5534f3d8a3239b812c7c114f85cc7972a
It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system. UEB v9 runs the api under root privileges and api/storage is vulnerable. UEB v10 runs the api under limited privileges and api/hosts is vulnerable.
26c3d9da1b69eb5067bf4415e099c1d16549287987fd59097875111bb16caf69
This Metasploit module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO). This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and SMAP disabled. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This Metasploit module has been tested successfully on various Ubuntu and Linux Mint systems, including: Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop; Ubuntu 16.04 4.8.0-53-generic; Linux Mint 17.3 4.4.0-89-generic; Linux Mint 18 4.8.0-58-generic
f3e398dc7268af675856d83dae02dec9fd8bde412098486a7565fb7cdd8541e2
Linux kernel versions prior to 4.14.8 utilize the Berkeley Packet Filter (BPF) which contains a vulnerability where it may improperly perform signing for an extension. This can be utilized to escalate privileges. The target system must be compiled with BPF support and must not have kernel.unprivileged_bpf_disabled set to 1. This Metasploit module has been tested successfully on many different kernels.
3a7fa7070c41ddc4726fd312fb66650ad5d4cd33a694060cfd4542206f2d48f1
This Metasploit module triggers an arbitrary shared library load vulnerability in GoAhead web server versions between 2.5 and that have the CGI module enabled.
bee949e92c0ea2f22d837f57390d8e28e16e861007e5e679292d373e6ac8037a
This Metasploit module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL versions 5.5.9 and below, directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This Metasploit module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.
e271ecc64a4930d48b45420b13646e62bddc742c830913aff948fcd6de464829
pfSense versions 2.3.1_1 and below contain a remote command execution vulnerability post authentication in the system_groupmanager.php page.
7e95005faf5bd57e5f8dd4d924787a1fff296c90c38c30c7cdaff7910db8bb51
WP Mobile Detector Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /wp-content/plugins/wp-mobile-detector/resize.php script does contains a remote file include for files not cached by the system already. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web server.
78c713af652be903f93b72d84bd37300ff88c13c97f655448730f42c48f8d6a6
The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication. Versions prior to 3.0.4 contain OS command injection in the ping command which can be used to execute arbitrary commands as root.
737f912aedaeba8a1d57b9dc8bd11fe5911f1fbdc0923fc3bb63f868636273f6
IPFire, a free linux based open source firewall distribution, version prior to 2.19 Update Core 110 contains a remote command execution vulnerability in the ids.cgi page in the OINKCODE field.
f8bdea7a53ee5a4ab20fad1a03f6c2a2dfaa0823d9fec5b982ed96aa724d1965
ntfs-3g mount helper in Ubuntu 16.04, 16.10, Debian 7, 8, and possibly 9 does not properly sanitize the environment when executing modprobe. This can be abused to load a kernel module and execute a binary payload as the root user.
2ca15f26f7b775b7c9e764235153327a7035b9b299e27a2b52603944e606c8c3
This Metasploit module utilizes an administrative module which allows for command execution. This page is completely unprotected from any authentication when given a POST request.
cfcbce3052c73130003476d0ee627bdcb72ab71008ac686ffaae35583cfb31c0
This Metasploit module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation.
bf300c0c899733b435995c0ef2a36f7a7f24b72ea483dc9898f85b794dba5bc8
Linux kernel versions 4.4 and above where CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled sysctl is not set to 1 allow for BPF to be abused for privilege escalation. Ubuntu 16.04 has all of these conditions met.
f1306f2352a229f463a8023d32004c95fc69e0766b3089ee18e864c38cfcb735
This Metasploit module attempts to exploit two different CVEs (CVE-2015-1328 and CVE-2015-8660) related to overlayfs.
051ac68d3b034444740ccd04d39c409e4a6f9b78bb6c5b472cf8e1acac90159d