This Metasploit module exploits a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8. The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage temporary files including their creation. With this weak permission, you are able to inject commands into the systemd-tmpfiles service to write a cron job to execute a payload. systemd-tmpfiles is executed by default on boot on RedHat-based systems through systemd-tmpfiles-setup.service. Depending on the system in use, the execution of systemd-tmpfiles could also be triggered by other services, cronjobs, startup scripts etc. This module was tested against Tomcat 7.0.54-3 on Fedora 21.
903a0ee785179782b1e32acadddf0c0d236bad5fe9aa7a732795ae129d42f00eThis Metasploit module targets a vulnerability in Tomcat versions 6, 7, and 8 on Debian-based distributions where these older versions provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account to escalate their privileges from the tomcat user to root and fully compromise the target system.
0ac41921eb75c8008e9f94786db836a9f76e614d54c6925c606eecf1de5fb188This Metasploit modules exploits a critical vulnerability in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, which allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool.
aa2d400dab7c8721b2c5166ed34cccd536045aa8292ad9a6b5fb2e07509a8b9eGNU wget versions prior to 1.1.8 arbitrary file upload and code execution exploit.
9eb9c61465681cef828940670f5a66c10bc60e1ed0055a7bd92271cfbcee572fProof of concept git-lfs remote code execution exploit written in Go. Affects Git, GitHub CLI, GitHub Desktop, Visual Studio, GitKraken, SmartGit, SourceTree, and more.
0c8177c46d702e8d2020c52ea4e282b0e930192714df192331520c8802c41440This Metasploit module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered Host header, exploitation is limited to the default virtual host, assuming the header isn't mangled in transit. If the target is running Apache 2.2.32 or 2.4.24 and later, the server may have HttpProtocolOptions set to Strict, preventing a Host header containing parens from passing through, making exploitation unlikely.
928eb6125df4b025be7b68270b411eb5dfb58e8b71a32b25b6ed380ce5e0f241Vanilla Forums versions 2.3 and below remote code execution exploit.
5c7ea9a23a9cecb94400f22b0952a0d9d93fc3cf4ada6196b41f4105e85931c2WordPress (core) 4.6 suffers from an unauthenticated remote code execution condition via an exploitable version of PHPMailer built-in to WordPress code. Exploitation details provided.
3562cc0222ccab73bf32045e3f2bee84233aef4cd3e169a98bcd74a969767f51SquirrelMail versions 1.4.22 and below suffer from a remote code execution vulnerability.
de177f6f9977394beaa2b7397b15b81799bfe18c2f8520e2c8cfe277e5f308a5PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This Metasploit module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.
70cf2a666368f1670d184b2da81850b9fd8aabe74acc4c71858fb6c372248cc8This proof of concept exploit aims to execute a reverse shell on the target in the context of the web server user via a vulnerable PHP email library.
a6480837acf975f49749549e06ab31dc5538b6276d390b38aa0f7a89e63148d0SwiftMailer versions prior to 5.4.5-DEV suffers from a remote code execution vulnerability.
6c8d495f3e13599fefac246580f75812ee61962841c2cff7e333f604d3caee57PHPMailer versions prior to 5.2.20 zero day remote code execution exploit. This bypasses the CVE-2016-10033 patch.
773582183b0cfc6f38ae24f52f7dfb831cd2f3410287245bc6daea84d4d8db83PHPMailer versions prior to 5.2.18 suffer from a remote code execution vulnerability. This archive consists of the full advisory and also the proof of concept code.
dff0fa27b99b22d59b30f33bda4811c6f57a5db1cf1cab549e564bd62faa8e9cPHPMailer version 5.2.17 suffers from a remote code execution vulnerability.
71254449b5468229de9f3d24cd3659f8ff035410115b6cf7f950f99bf518712fNagios Core versions prior to 4.2.2 suffer from a curl command injection vulnerability that can lead to remote code execution.
c3b5ce14fa314de6954bd04ce7bfdf56d1d7a73489b184889179a25362cc9a20GNU wget versions 1.17 and earlier, when used in mirroring/recursive mode, are affected by a race condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with the -A parameter. This might allow attackers to place malicious/restricted files onto the system. Depending on the application / download directory, this could potentially lead to other vulnerabilities such as code execution, etc.
c9c7cf1f94f2e1d07833e7d43576bff9a1066ace4df75ff0824c5188b1e5e8feNginx web server packaging on Debian-based distributions such as Debian or Ubuntu was found to create log directories with insecure permissions which can be exploited by malicious local attackers to escalate their privileges from nginx/web user (www-data) to root. The vulnerability could be easily exploited by attackers who have managed to compromise a web application hosted on Nginx server and gained access to www-data account as it would allow them to escalate their privileges further to root access and fully compromise the system. This is fixed in 1.6.2-5+deb8u3 package on Debian and 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS. UPDATE 2017/01/13 - nginx packages below version 1.10.2-r3 on Gentoo are also affected.
572946533a64d6b9af6ce4ce53d1c39bc1cc476f9cdbd639425b4aed7713bcefMySQL-based databases including MySQL, MariaDB and PerconaDB are affected by a privilege escalation vulnerability which can let attackers who have gained access to mysql system user to further escalate their privileges to root user allowing them to fully compromise the system. The vulnerability stems from unsafe file handling of error logs and other files.
ee10c5cd536b7cd793ebaa9a73ff8ae60ef21aeb38f837d26de4bd6c0456a67aAn independent research has revealed a race condition vulnerability which affects MySQL, MariaDB and PerconaDB databases. The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user (typically 'mysql').
01f753f3d94e735ce76518cc2e604e919a99e02cf0b9361221ae6463f8e2aed2Apache Tomcat versions 8, 7, and 6 suffer from a privilege escalation vulnerability on RedHat-based distros.
12ec6d054904816f7a7adc452b470c239ac9e45d1cbea47b206cc70413667d52Apache Tomcat versions 8.0.36-2 and below, 7.0.70-2 and below, and 6.0.45+dfsg-1~deb8ul and below suffer from a local root privilege escalation vulnerability.
893a92e39c86918879337de752d3a9e073dfec764fa778ff27ab1e26ede6e1a3MySQL versions 5.7.15 and below, 5.6.33 and below, and 5.5.52 and below suffer from remote root code execution and privilege escalation vulnerabilities.
5e8a01e26f616b7e322e11ee4900c798c738b94ceece89ba36e9df202cdc0496Adobe ColdFusion versions 11 and below suffer from an XML external entity (XXE) injection vulnerability.
a212b04a6debb5df2b3e137824d36dd10c3fdf16684e40ee63a9ffdcf54319c3vBulletin versions 5.2.2 and below, 4.2.3 and below, and 3.8.9 and below suffer from a pre-auth server side request forgery vulnerability.
2399e0f10243e428aec1ae8502b9ebad331ccfb7745a1e7561bbf4566c53fd7a
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed