exploit the possibilities
Showing 1 - 25 of 52 RSS Feed

Files from Spencer McIntyre

Email addresssmcintyre at securestate.com
First Active2011-01-12
Last Active2022-03-31
Spring Cloud Function SpEL Injection
Posted Mar 31, 2022
Authored by Spencer McIntyre, m09u3r, hktalent | Site metasploit.com

Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.

tags | exploit, remote, code execution
advisories | CVE-2022-22963
SHA-256 | 191fd2ef6dcf8a98bc701657de72fbfe2250e9ec9091b7372a38ea1abcff6241
Win32k ConsoleControl Offset Confusion / Privilege Escalation
Posted Feb 28, 2022
Authored by Spencer McIntyre, BITTER APT, LiHao, KaLendsi, MaDongZe, TuXiaoYi, JinQuan, L4ys | Site metasploit.com

A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.

tags | exploit, root, vulnerability
systems | windows
advisories | CVE-2021-1732, CVE-2022-21882
SHA-256 | 9902434a58e36c7838c71ee860592d8624368fc1b380cf4c9ccf530f09895fd2
UniFi Network Application Unauthenticated Log4Shell Remote Code Execution
Posted Jan 24, 2022
Authored by Spencer McIntyre, RageLtMan, Nicholas Anastasi | Site metasploit.com

The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell vulnerability whereby a JNDI string can be sent to the server via the remember field of a POST request to the /api/login endpoint that will cause the server to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the server application. This Metasploit module will start an LDAP server that the target will need to connect to.

tags | exploit, java
advisories | CVE-2021-44228
SHA-256 | 371aff703a1c6ed83abe19b12644a1663d1052646d88c385fcca8a64bc63db21
VMware vCenter Server Unauthenticated Log4Shell JNDI Injection Remote Code Execution
Posted Jan 20, 2022
Authored by Spencer McIntyre, RageLtMan, jbaines-r7, w3bd3vil | Site metasploit.com

VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on Windows. This Metasploit module will start an LDAP server that the target will need to connect to. This exploit uses the logon page vector.

tags | exploit, java, root
systems | linux, windows
advisories | CVE-2021-44228
SHA-256 | a640959afe63b432e9f52c735f5ef2799a3bab57bd19790c2fcebb608d3e3a86
Log4Shell HTTP Header Injection
Posted Jan 12, 2022
Authored by sinn3r, Michael Schierl, Spencer McIntyre, juan vazquez | Site metasploit.com

This Metasploit module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit and load a payload. The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP server in addition to the LDAP server that the target can connect to. The targeted application must have the trusted code base option enabled for this technique to work. The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.

tags | exploit, java, remote, web
advisories | CVE-2021-44228
SHA-256 | fb881ade3573c4c3970acc27f51ba1d3ac1aaff25446ea8e525ce3aca4d0ca4d
Apache Storm Nimbus 2.2.0 Command Execution
Posted Nov 19, 2021
Authored by Spencer McIntyre, Alvaro Munoz | Site metasploit.com

This Metasploit module exploits an unauthenticated command injection vulnerability within the Nimbus service component of Apache Storm. The getTopologyHistory RPC method method takes a single argument which is the name of a user which is concatenated into a string that is executed by bash. In order for the vulnerability to be exploitable, there must have been at least one topology submitted to the server. The topology may be active or inactive, but at least one must be present. Successful exploitation results in remote code execution as the user running Apache Storm. This vulnerability was patched in versions 2.1.1, 2.2.1 and 1.2.4. This exploit was tested on version 2.2.0 which is affected.

tags | exploit, remote, code execution, bash
advisories | CVE-2021-38294
SHA-256 | bdeabaf8ee1de5cc701765d5b3a2960189a0cd18ac93bcb180979bd32c8d528a
Microsoft OMI Management Interface Authentication Bypass
Posted Nov 10, 2021
Authored by Spencer McIntyre, Nir Ohfeld, Shir Tamari | Site metasploit.com

This Metasploit module demonstrates that by removing the authentication exchange, an attacker can issue requests to the local OMI management socket that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).

tags | exploit, local, root
advisories | CVE-2021-38648
SHA-256 | 421ae743686547f1ecd98e3086fa9370482e6a9646a5f30c18b32491b7848309
Microsoft OMI Management Interface Authentication Bypass
Posted Oct 28, 2021
Authored by Spencer McIntyre, wvu, Nir Ohfeld, Shir Tamari | Site metasploit.com

By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).

tags | exploit, web, root
advisories | CVE-2021-38647
SHA-256 | fdef0aef0e912b6be1749a8d91235a8ce5f95d8c64ee36efaa66917951a81206
ManageEngine OpManager SumPDU Java Deserialization
Posted Sep 21, 2021
Authored by Spencer McIntyre, Robin Peraglie, Johannes Moritz | Site metasploit.com

An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application. This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 through 12.5.328.

tags | exploit, java, remote, web, arbitrary
advisories | CVE-2020-28653, CVE-2021-3287
SHA-256 | a64897f563277f473cabf805ba128ebed5a9f941959e6b9130ab7f541f5a6e50
Microsoft Exchange ProxyShell Remote Code Execution
Posted Aug 20, 2021
Authored by Spencer McIntyre, Orange Tsai, wvu, Ramella Sebastien, Jang, PeterJson, brandonshi123 | Site metasploit.com

This Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2021-31207, CVE-2021-34473, CVE-2021-34523
SHA-256 | b555cd3b9862ec567195ff3003e6dc453483630a7c663ee17d582778c11dbf59
ForgeRock / OpenAM Jato Java Deserialization
Posted Jul 13, 2021
Authored by Spencer McIntyre, Michael Stepankin, bwatters-r7, jheysel-r7 | Site metasploit.com

This Metasploit module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user. This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and thus is susceptible to the same issue.

tags | exploit, java, remote, code execution
advisories | CVE-2021-35464
SHA-256 | 7ab7e165e1eabb4c0774d5b02fa501308e44a10ac91af40c1b4ed6a62fc60ca6
Polkit D-Bus Authentication Bypass
Posted Jul 9, 2021
Authored by Spencer McIntyre, jheysel-r7, Kevin Backhouse | Site metasploit.com

A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a method over D-Bus and kills the client process. This will occasionally cause the operation to complete without being subjected to all of the necessary authentication. The exploit module leverages this to add a new user with a sudo access and a known password. The new account is then leveraged to execute a payload with root privileges.

tags | exploit, local, root
advisories | CVE-2021-3560
SHA-256 | 4a469ac4141ad75d095a953ed9262ad9287b8c479e96a68695a89371d81439eb
Docker Container Escape
Posted Jul 1, 2021
Authored by Christophe de la Fuente, Spencer McIntyre, Nick Frichette, Borys Poplawski, Adam Iwaniuk | Site metasploit.com

This Metasploit module leverages a flaw in runc to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the runc binary with the payload and waits for someone to use docker exec to get into the container. This will trigger the payload execution. Note that executing this exploit carries important risks regarding the Docker installation integrity on the target and inside the container.

tags | exploit, root
advisories | CVE-2019-5736
SHA-256 | cccb41227aca832e89e9a6f586e66617bdec002e1dded9d5addd44548302edb1
Microsoft SharePoint Unsafe Control And ViewState Remote Code Execution
Posted Jun 17, 2021
Authored by unknown, Spencer McIntyre, wvu | Site metasploit.com

The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user supplied data. This can be leveraged by an attacker to leak sensitive information in rendered-preview content. This module will leak the ViewState validation key and then use it to sign a crafted object that will trigger code execution when deserialized. Tested against SharePoint 2019 and SharePoint 2016, both on Windows Server 2016.

tags | exploit, code execution
systems | windows
advisories | CVE-2021-31181
SHA-256 | 5dcb06868c15ec6031a011204cbd74de26b37669890217421638293a9f77e49b
Dell DBUtil_2_3.sys IOCTL Memory Read / Write
Posted May 17, 2021
Authored by Spencer McIntyre, SentinelLabs, Kasif Dekel | Site metasploit.com

The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker to read and write kernel-mode memory.

tags | exploit, kernel
advisories | CVE-2021-21551
SHA-256 | 60c28ef1ac35891f12da2b7098fca05a34362d8c69f7050055509277585d70ab
Apache OFBiz SOAP Java Deserialization
Posted Apr 6, 2021
Authored by Spencer McIntyre, wvu, yumusb | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for versions prior to 17.12.06.

tags | exploit, java
advisories | CVE-2021-26295
SHA-256 | 1a3d79d4b32857119cfd6ad9c273dd5c7dfc3e857b95b83ad391b6001cc0de14
Advantech iView Unauthenticated Remote Code Execution
Posted Mar 23, 2021
Authored by Spencer McIntyre, wvu | Site metasploit.com

This Metasploit module exploits an unauthenticated configuration change combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM. This issue was demonstrated in the vulnerable version 5.7.02.5992 and fixed in version 5.7.03.6112.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2021-22652
SHA-256 | 871b6bdcb75f943757231fe70d369aecb3bf02147c4c50b85ea3a12f3efaabe4
Win32k ConsoleControl Offset Confusion
Posted Mar 19, 2021
Authored by Spencer McIntyre, BITTER APT, LiHao, KaLendsi, MaDongZe, TuXiaoYi, JinQuan | Site metasploit.com

A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation.

tags | exploit
advisories | CVE-2021-1732
SHA-256 | ed073b3c17d4f49ffa13834abab3bf326257f8e012a4c37b26486bc312e9e80d
Sudo 1.8.31p2 / 1.9.5p1 Buffer Overflow
Posted Feb 5, 2021
Authored by Blasty, Spencer McIntyre, Qualys Security Advisory, bwatters-r7, Alexander Krog | Site metasploit.com

A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this implementation leverages the overflow to overwrite a service_user struct in memory to reference an attacker controlled library which results in it being loaded with the elevated privileges held by sudo.

tags | exploit, overflow, local
advisories | CVE-2021-3156
SHA-256 | cdf458fa2ff6a679afd1037bdb879758b301305b20f223b3aade629bb97b04bc
Apache Struts 2 Forced Multi OGNL Evaluation
Posted Dec 24, 2020
Authored by Matthias Kaiser, Spencer McIntyre, Alvaro Munoz, ka1n4t | Site metasploit.com

The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to remote code execution. This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.

tags | exploit, remote, code execution
advisories | CVE-2019-0230, CVE-2020-17530
SHA-256 | 3cfe28296a3b91c815100d9996280537326adc728304ac8036ea7dcb8ca37586
Pulse Secure VPN Remote Code Execution
Posted Dec 18, 2020
Authored by h00die, Spencer McIntyre, Richard Warren, David Cash | Site metasploit.com

The Pulse Connect Secure appliance versions prior to 9.1R9 suffer from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in remote code execution as root. Admin credentials are required for successful exploitation.

tags | exploit, remote, arbitrary, root, code execution
advisories | CVE-2020-8260
SHA-256 | 8de39b3d864b347239de1ec3dc821eb3dbbd1f8d117938aab08b12b371a9dbc1
Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization
Posted Oct 20, 2020
Authored by Spencer McIntyre, Oleksandr Mirosh, Markus Wulftange, Alvaro Munoz, Paul Taylor, Caleb Gross, straightblast | Site metasploit.com

This Metasploit module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. 2020.3.915).

tags | exploit, asp
advisories | CVE-2017-11317, CVE-2019-18935
SHA-256 | 2f6a8f760339d2c83d483651740d009b85c87d1a8e03ca388c1ef83409e65051
SharePoint DataSet / DataTable Deserialization
Posted Jul 31, 2020
Authored by Soroush Dalili, mr_me, Spencer McIntyre | Site metasploit.com

A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker to execute code within the context of the SharePoint application service. The privileges in this execution context are determined by the account that is specified when SharePoint is installed and configured. The vulnerability is related to a failure to validate the source of XML input data, leading to an unsafe deserialization operation that can be triggered from a page that initializes either the ContactLinksSuggestionsMicroView type or a derivative of it. In a default configuration, a Domain User account is sufficient to access SharePoint and exploit this vulnerability.

tags | exploit, remote
advisories | CVE-2020-1147
SHA-256 | 34f2633fdb04b0ab14dd5a0aedaf3e5d3b9e387d4d8619fbdd31dabb809602b6
AnyDesk GUI Format String Write
Posted Jul 2, 2020
Authored by Spencer McIntyre, scryh | Site metasploit.com

The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.

tags | exploit
advisories | CVE-2020-13160
SHA-256 | 3a9a77f3da97e3fa3eabb2ff840fb3ea885747038fdb66fcbcb8f64ab38332f4
Plesk / myLittleAdmin ViewState .NET Deserialization
Posted May 22, 2020
Authored by Spencer McIntyre, wvu | Site metasploit.com

This Metasploit module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded machineKey parameters in the web.config file for ASP.NET. Popular web hosting control panel Plesk offers myLittleAdmin as an optional component that is selected automatically during "full" installation. This exploit caters to the Plesk target, though it should work fine against a standalone myLittleAdmin setup. Successful exploitation results in code execution as the user running myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as the "SQL Admin MSSQL anonymous account". Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.

tags | exploit, web, code execution, asp
advisories | CVE-2020-13166
SHA-256 | 4124c84ac15efa5a91216b271b351c4f85f28724a0347ca062414a3d04b8a3b5
Page 1 of 3
Back123Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close