This Metasploit module abuses the zsudo binary, installed with zpanel, to escalate privileges. In order to work, a session with access to zsudo on the sudoers configuration is needed. This Metasploit module is useful for post exploitation of ZPanel vulnerabilities, where typically web server privileges are acquired, and this user is allowed to execute zsudo on the sudoers file.
52e9e7c654a610547771110083d88813bc9a4795b691c2e9a5c3e03710e35924
This Metasploit module exploits a vulnerability that can be used to modify portions of a process's address space, which may lead to privilege escalation. Systems such as FreeBSD 9.0 and 9.1 are known to be vulnerable.
9d8c78182da26e1da3cf3977d1da297ce969b5376665d620df728cbdcad3f431
This Metasploit module exploits a vulnerability found in ZPanel's htpasswd module. When creating .htaccess using the htpasswd module, the username field can be used to inject system commands, which is passed on to a system() function for executing the system's htpasswd's command. Please note: In order to use this module, you must have a valid account to login to ZPanel. An account part of any of the default groups should suffice, such as: Administrators, Resellers, or Users (Clients). By default, there's already a 'zadmin' user, but the password is randomly generated.
b0c8395da4e46b664fc003dfc79c486c7be07dfe55feabb0ac541c4e867a7236
This Metasploit module exploits a vulnerability found in HP System Management Homepage. By supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), which will be used in a exec() function. This results in arbitrary code execution under the context of SYSTEM. Please note: In order for the exploit to work, the victim must enable the 'tftp' command, which is the case by default for systems such as Windows XP, 2003, etc.
6266db27926cf39ef3e09f70d6ca685c96436473d8a501cfbd635527cd54d34c
This Metasploit module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and possibly prior. Attackers bypass the file extension check and abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.
30ecd42376c5e4bb7dd7923719eb84398fa5da45f31326b369732ac687c9d496
This Metasploit module exploits a file upload vulnerability found in Havalite CMS version 1.1.7. Prior versions are possibly affected. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.
caf2d6ad9662842ffd45e96d09bc069561d43e22364b1adc6736d0aee2a8406c
This Metasploit module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX component, specifically PDF_IN_1.ocx. When a long string of data is given to the ConnectToSynactis function, which is meant to be used for the ldCmdLine argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry class pointer saved on the stack, and results in arbitrary code execution under the context of the user. Also note that since the WinExec function is used to call the default browser, you must be aware that: 1) The default must be Internet Explorer, and 2) When the exploit runs, another browser will pop up. Synactis PDF In-The-Box is also used by other software such as Logic Print 2013, which is how the vulnerability was found and publicly disclosed.
717b46a540961e751ccf7b61962579a6966ed5098437c588fd29d0ce3364ac7b
This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.
723999396b06b95680fb759bf7a793de8245f41f4c76b136b6109a09e4954141
This Metasploit module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.
19c7c53f42d760a9afadc94975ca390c02a34390696f9912af9f0ec1463460e1
This Metasploit module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.
4a0fb8aa0b393da39aa32b84a93368c9393fd500aac21eeb9e7f26dc757220b7
This Metasploit module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user.
307b7adfa8d05c300b48db94ceb041a3ced231d646f14a788423d6874081b7c4
This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.
533129f761cf4d8924232d6abdcf16e58a9823d5ff768d51fa0cc0628e64d91b
This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.
e321b503a83791aeb063c8940adcdb875c9201669df143b59807fe08c4b13986
This Metasploit module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console.
d2cfc6fc7d86461f770fda0e4daee3857ea9a4952d95f4921e2a9e92c4b23c57
This Metasploit module exploits a vulnerability found in Nagios XI Network Monitor's component 'Graph Explorer'. An authenticated user can execute system commands by injecting it in several parameters, such as in visApi.php's 'host' parameter, which results in remote code execution.
03511b3aec77711f36f512b8cfc1cc8dbd2684b2a54143164f62d0d971975ee5
This Metasploit module abuses multiple issues in FreeFloat: 1. No credential is actually needed to login; 2. User's default path is in C:\, and this cannot be changed; 3. User can write to anywhere on the server's file system. As a result of these poor implementations, a malicious user can just log in and then upload files, and let WMI (Management Instrumentation service) to execute the payload uploaded.
7e4b33e6e72bc7067803b531d78ed6fe17a2b9daf5dacfbff469915388c07408
Cross Context Scripting (XCS) is possible in the Maxthon about:history page. Injection in such privileged/trusted browser zone can be used to modify configuration settings and execute arbitrary commands. Please note this module only works against specific versions of XCS. Currently, we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.
edfb695d586066cbef9515fde0393bb119c669cea54c3475dc93bb3dcdbc8c10
This Metasploit module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the 'script' search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of "admin:changeme", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. This Metasploit module has only been tested successfully against Splunk 5.0.
638c1ea3c9f99886762f0c13cc824ca25fe4fd419cf32123b703084f0680888f
This Metasploit modules takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers (due to the use of a .mof file). This may result in arbitrary code execution under the context of SYSTEM. However, please note in order to use this module, you must have a valid MySQL account on the target machine.
4bdddccff72e6f861ece38c09f5e2d07982390d9788ff9574617a88479fcf1dc
This Metasploit module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.
a8cae2783ae383b985cfe414beea92207b93fca99d51ada21c788b6eff779ccc
This Metasploit module exploits a vulnerability found in BlazeVideo HDTV Player's filename handling routine. When supplying a string of input data embedded in a .plf file, the MediaPlayerCtrl.dll component will try to extract a filename by using PathFindFileNameA(), and then copies whatever the return value is on the stack by using an inline strcpy. As a result, if this input data is long enough, it can cause a stack-based buffer overflow, which may lead to arbitrary code execution under the context of the user.
ab34370a5debea1b2a8db24c582834304ee72c0e5a992dbbbcfedc31867011f6
This Metasploit module exploits a vulnerability in lib/dbtools.inc which uses unsanitized user input inside a eval() call. Additionally the base64 encoded user credentials are extracted from the database of the application. Please note that in order to be able to steal credentials, the vulnerable service must have at least one USV module (an entry in the "nodes" table in mgedb.db).
ca94d18543aafa961d153b779642fdaf4da2fc45b207ec0756a59de101a2cf5d
This Metasploit module exploits a vulnerability found in Narcissus image configuration function. This is due to the backend.php file not handling the $release parameter properly, and then passes it on to the configure_image() function. In this function, the $release parameter can be used to inject system commands for passthru (a PHP function that's meant to be used to run a bash script by the vulnerable application), which allows remote code execution under the context of the web server.
e4e301239f9dd9233d1f53f7eeec494854791ab17cbfc496d7ff9fc4c9b4e501
This Metasploit module exploits a php unserialize() vulnerability in Invision IP.Board versions 3.3.4 and below which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the '/admin/sources/base/core.php' script, which is called with user controlled data from the cookie. The exploit abuses the __destruct() method from the dbMain class to write arbitrary PHP code to a file on the Invision IP.Board web directory. The exploit has been tested successfully on Invision IP.Board 3.3.4.
7e91adb9a9ee325db99241f1b63825bee21c97d9b41b272172e2f7674cc58e74
This Metasploit module exploits a remote buffer overflow in HP Intelligent Management Center UAM. The vulnerability exists in the uam.exe component, when using sprint in a insecure way for logging purposes. The vulnerability can be triggered by sending a malformed packet to the 1811/UDP port. The module has been successfully tested on HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).
ac8cdc8e8017e39159b8c147cb07c719d3801fc71b487e702a1f8e5c81fd7c8c