exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 51 - 75 of 183 RSS Feed

Files from sinn3r

Email addressx90.sinner at gmail.com
First Active2009-12-13
Last Active2022-01-12
ZPanel zsudo Local Privilege Escalation
Posted Jun 26, 2013
Authored by sinn3r, juan vazquez | Site metasploit.com

This Metasploit module abuses the zsudo binary, installed with zpanel, to escalate privileges. In order to work, a session with access to zsudo on the sudoers configuration is needed. This Metasploit module is useful for post exploitation of ZPanel vulnerabilities, where typically web server privileges are acquired, and this user is allowed to execute zsudo on the sudoers file.

tags | exploit, web, vulnerability
SHA-256 | 52e9e7c654a610547771110083d88813bc9a4795b691c2e9a5c3e03710e35924
FreeBSD 9 Address Space Manipulation Privilege Escalation
Posted Jun 26, 2013
Authored by Alan Cox, Hunger, sinn3r, Konstantin Belousov | Site metasploit.com

This Metasploit module exploits a vulnerability that can be used to modify portions of a process's address space, which may lead to privilege escalation. Systems such as FreeBSD 9.0 and 9.1 are known to be vulnerable.

tags | exploit
systems | freebsd
advisories | CVE-2013-2171, OSVDB-94414
SHA-256 | 9d8c78182da26e1da3cf3977d1da297ce969b5376665d620df728cbdcad3f431
ZPanel 10.0.0.2 htpasswd Module Username Command Execution
Posted Jun 23, 2013
Authored by sinn3r, shachibista | Site metasploit.com

This Metasploit module exploits a vulnerability found in ZPanel's htpasswd module. When creating .htaccess using the htpasswd module, the username field can be used to inject system commands, which is passed on to a system() function for executing the system's htpasswd's command. Please note: In order to use this module, you must have a valid account to login to ZPanel. An account part of any of the default groups should suffice, such as: Administrators, Resellers, or Users (Clients). By default, there's already a 'zadmin' user, but the password is randomly generated.

tags | exploit
advisories | OSVDB-94038
SHA-256 | b0c8395da4e46b664fc003dfc79c486c7be07dfe55feabb0ac541c4e867a7236
HP System Management Homepage JustGetSNMPQueue Command Injection
Posted Jun 22, 2013
Authored by sinn3r, Markus Wulftange | Site metasploit.com

This Metasploit module exploits a vulnerability found in HP System Management Homepage. By supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), which will be used in a exec() function. This results in arbitrary code execution under the context of SYSTEM. Please note: In order for the exploit to work, the victim must enable the 'tftp' command, which is the case by default for systems such as Windows XP, 2003, etc.

tags | exploit, web, arbitrary, code execution
systems | windows
advisories | CVE-2013-3576, OSVDB-94191
SHA-256 | 6266db27926cf39ef3e09f70d6ca685c96436473d8a501cfbd635527cd54d34c
LibrettoCMS File Manager Arbitrary File Upload
Posted Jun 22, 2013
Authored by CWH Underground, sinn3r | Site metasploit.com

This Metasploit module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and possibly prior. Attackers bypass the file extension check and abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.

tags | exploit, remote, arbitrary, php, code execution, file upload
advisories | OSVDB-94391
SHA-256 | 30ecd42376c5e4bb7dd7923719eb84398fa5da45f31326b369732ac687c9d496
Havalite CMS Arbitary File Upload
Posted Jun 20, 2013
Authored by CWH Underground, sinn3r | Site metasploit.com

This Metasploit module exploits a file upload vulnerability found in Havalite CMS version 1.1.7. Prior versions are possibly affected. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.

tags | exploit, remote, arbitrary, php, code execution, file upload
advisories | OSVDB-94405
SHA-256 | caf2d6ad9662842ffd45e96d09bc069561d43e22364b1adc6736d0aee2a8406c
Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
Posted Jun 10, 2013
Authored by sinn3r, h1ch4m | Site metasploit.com

This Metasploit module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX component, specifically PDF_IN_1.ocx. When a long string of data is given to the ConnectToSynactis function, which is meant to be used for the ldCmdLine argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry class pointer saved on the stack, and results in arbitrary code execution under the context of the user. Also note that since the WinExec function is used to call the default browser, you must be aware that: 1) The default must be Internet Explorer, and 2) When the exploit runs, another browser will pop up. Synactis PDF In-The-Box is also used by other software such as Logic Print 2013, which is how the vulnerability was found and publicly disclosed.

tags | exploit, arbitrary, code execution, activex
advisories | OSVDB-93754
SHA-256 | 717b46a540961e751ccf7b61962579a6966ed5098437c588fd29d0ce3364ac7b
Microsoft Internet Explorer CGenericElement Object Use-After-Free
Posted May 7, 2013
Authored by sinn3r, juan vazquez, temp66, EMH | Site metasploit.com

This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.

tags | exploit, arbitrary, code execution
advisories | CVE-2013-1347, OSVDB-92993
SHA-256 | 723999396b06b95680fb759bf7a793de8245f41f4c76b136b6109a09e4954141
Windows Manage Memory Payload Injection
Posted Jan 24, 2013
Authored by sinn3r, Carlos Perez | Site metasploit.com

This Metasploit module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.

tags | exploit, x86, tcp
SHA-256 | 19c7c53f42d760a9afadc94975ca390c02a34390696f9912af9f0ec1463460e1
Java Applet JMX Remote Code Execution
Posted Jan 11, 2013
Authored by unknown, egypt, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.

tags | exploit, java, arbitrary
advisories | CVE-2013-0422
SHA-256 | 4a0fb8aa0b393da39aa32b84a93368c9393fd500aac21eeb9e7f26dc757220b7
Microsoft Internet Explorer Option Element Use-After-Free
Posted Jan 10, 2013
Authored by Ivan Fratric, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user.

tags | exploit, javascript, code execution
advisories | CVE-2011-1996
SHA-256 | 307b7adfa8d05c300b48db94ceb041a3ced231d646f14a788423d6874081b7c4
Microsoft Internet Explorer CButton Object Use-After-Free
Posted Jan 2, 2013
Authored by Eric Romang, sinn3r, juan vazquez, mahmud ab rahman | Site metasploit.com

This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

tags | exploit, arbitrary, code execution
advisories | CVE-2012-4792
SHA-256 | 533129f761cf4d8924232d6abdcf16e58a9823d5ff768d51fa0cc0628e64d91b
Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free
Posted Dec 31, 2012
Authored by Eric Romang, sinn3r, juan vazquez, mahmud ab rahman | Site metasploit.com

This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

tags | exploit, arbitrary, code execution
advisories | CVE-2012-4792
SHA-256 | e321b503a83791aeb063c8940adcdb875c9201669df143b59807fe08c4b13986
Netwin SurgeFTP Remote Command Execution
Posted Dec 24, 2012
Authored by sinn3r, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console.

tags | exploit, web
SHA-256 | d2cfc6fc7d86461f770fda0e4daee3857ea9a4952d95f4921e2a9e92c4b23c57
Nagios XI Network Monitor Graph Explorer Component Command Injection
Posted Dec 9, 2012
Authored by sinn3r, Daniel Compton | Site metasploit.com

This Metasploit module exploits a vulnerability found in Nagios XI Network Monitor's component 'Graph Explorer'. An authenticated user can execute system commands by injecting it in several parameters, such as in visApi.php's 'host' parameter, which results in remote code execution.

tags | exploit, remote, php, code execution
advisories | OSVDB-83552
SHA-256 | 03511b3aec77711f36f512b8cfc1cc8dbd2684b2a54143164f62d0d971975ee5
FreeFloat FTP Server Arbitrary File Upload
Posted Dec 8, 2012
Authored by sinn3r, juan vazquez | Site metasploit.com

This Metasploit module abuses multiple issues in FreeFloat: 1. No credential is actually needed to login; 2. User's default path is in C:\, and this cannot be changed; 3. User can write to anywhere on the server's file system. As a result of these poor implementations, a malicious user can just log in and then upload files, and let WMI (Management Instrumentation service) to execute the payload uploaded.

tags | exploit
SHA-256 | 7e4b33e6e72bc7067803b531d78ed6fe17a2b9daf5dacfbff469915388c07408
Maxthon3 about:history XCS Trusted Zone Code Execution
Posted Dec 8, 2012
Authored by Roberto Suggi Liverani, sinn3r, juan vazquez | Site metasploit.com

Cross Context Scripting (XCS) is possible in the Maxthon about:history page. Injection in such privileged/trusted browser zone can be used to modify configuration settings and execute arbitrary commands. Please note this module only works against specific versions of XCS. Currently, we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.

tags | exploit, arbitrary
SHA-256 | edfb695d586066cbef9515fde0393bb119c669cea54c3475dc93bb3dcdbc8c10
Splunk 5.0 Custom App Remote Code Execution
Posted Dec 8, 2012
Authored by sinn3r, juan vazquez, [at]marcwickenden | Site metasploit.com

This Metasploit module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the 'script' search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of "admin:changeme", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. This Metasploit module has only been tested successfully against Splunk 5.0.

tags | exploit, web, arbitrary, root, perl, python
systems | linux, windows
SHA-256 | 638c1ea3c9f99886762f0c13cc824ca25fe4fd419cf32123b703084f0680888f
Oracle MySQL For Microsoft Windows MOF Execution
Posted Dec 7, 2012
Authored by Kingcope, sinn3r | Site metasploit.com

This Metasploit modules takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers (due to the use of a .mof file). This may result in arbitrary code execution under the context of SYSTEM. However, please note in order to use this module, you must have a valid MySQL account on the target machine.

tags | exploit, arbitrary, code execution
systems | windows
advisories | CVE-2012-5613
SHA-256 | 4bdddccff72e6f861ece38c09f5e2d07982390d9788ff9574617a88479fcf1dc
Tectia SSH USERAUTH Change Request Password Reset
Posted Dec 5, 2012
Authored by Kingcope, sinn3r, bperry | Site metasploit.com

This Metasploit module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.

tags | exploit, remote, root
systems | unix
SHA-256 | a8cae2783ae383b985cfe414beea92207b93fca99d51ada21c788b6eff779ccc
BlazeVideo HDTV Player Pro 6.6 Filename Handling
Posted Nov 30, 2012
Authored by sinn3r, b33f | Site metasploit.com

This Metasploit module exploits a vulnerability found in BlazeVideo HDTV Player's filename handling routine. When supplying a string of input data embedded in a .plf file, the MediaPlayerCtrl.dll component will try to extract a filename by using PathFindFileNameA(), and then copies whatever the return value is on the stack by using an inline strcpy. As a result, if this input data is long enough, it can cause a stack-based buffer overflow, which may lead to arbitrary code execution under the context of the user.

tags | exploit, overflow, arbitrary, code execution
advisories | OSVDB-80896
SHA-256 | ab34370a5debea1b2a8db24c582834304ee72c0e5a992dbbbcfedc31867011f6
Network Shutdown Module 3.21 Remote PHP Code Injection
Posted Nov 29, 2012
Authored by sinn3r, h0ng10 | Site metasploit.com

This Metasploit module exploits a vulnerability in lib/dbtools.inc which uses unsanitized user input inside a eval() call. Additionally the base64 encoded user credentials are extracted from the database of the application. Please note that in order to be able to steal credentials, the vulnerable service must have at least one USV module (an entry in the "nodes" table in mgedb.db).

tags | exploit
advisories | OSVDB-83199
SHA-256 | ca94d18543aafa961d153b779642fdaf4da2fc45b207ec0756a59de101a2cf5d
Narcissus Image Configuration Passthru
Posted Nov 21, 2012
Authored by dun, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in Narcissus image configuration function. This is due to the backend.php file not handling the $release parameter properly, and then passes it on to the configure_image() function. In this function, the $release parameter can be used to inject system commands for passthru (a PHP function that's meant to be used to run a bash script by the vulnerable application), which allows remote code execution under the context of the web server.

tags | exploit, remote, web, php, code execution, bash
SHA-256 | e4e301239f9dd9233d1f53f7eeec494854791ab17cbfc496d7ff9fc4c9b4e501
Invision IP.Board 3.3.4 unserialize() PHP Code Execution
Posted Nov 13, 2012
Authored by EgiX, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a php unserialize() vulnerability in Invision IP.Board versions 3.3.4 and below which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the '/admin/sources/base/core.php' script, which is called with user controlled data from the cookie. The exploit abuses the __destruct() method from the dbMain class to write arbitrary PHP code to a file on the Invision IP.Board web directory. The exploit has been tested successfully on Invision IP.Board 3.3.4.

tags | exploit, web, arbitrary, php
advisories | CVE-2012-5692, OSVDB-86702
SHA-256 | 7e91adb9a9ee325db99241f1b63825bee21c97d9b41b272172e2f7674cc58e74
HP Intelligent Management Center UAM Buffer Overflow
Posted Nov 2, 2012
Authored by sinn3r, juan vazquez, e6af8de8b1d4b2b6d5ba2610cbf9cd38 | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in HP Intelligent Management Center UAM. The vulnerability exists in the uam.exe component, when using sprint in a insecure way for logging purposes. The vulnerability can be triggered by sending a malformed packet to the 1811/UDP port. The module has been successfully tested on HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).

tags | exploit, remote, overflow, udp
systems | windows
advisories | OSVDB-85060
SHA-256 | ac8cdc8e8017e39159b8c147cb07c719d3801fc71b487e702a1f8e5c81fd7c8c
Page 3 of 8
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close