This Metasploit module connects to a specified Metasploit RPC server and uses the 'console.write' procedure to execute operating system commands. Valid credentials are required to access the RPC interface. This Metasploit module has been tested successfully on Metasploit 4.15 on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit 4.14 on Windows 7 SP1.
8ea98d2b410cde645149d0474ad59d7f8e2ce8335f863b066bd6f8eb38a90c6eThis Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
467d157dc1bbf3f036cc0f63f280fa7c6781fd91ca452708aab53393895c5ba1This Metasploit module exploits an unauthenticated remote command execution vulnerability in the console component of Serviio Media Server versions 1.4 to 1.8 on Windows operating systems. The console service (on port 23423 by default) exposes a REST API which which does not require authentication. The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands. This Metasploit module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.
ff2a44ff2877548d39a81f51946f0588cc16648df0f3bb46c2698ef963da2850This Metasploit module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string. This Metasploit module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17). The TV-7108HE model is also reportedly affected, but untested.
f4244a1e72f87921eab5c56221de1ab5d42d1ffd35789a5298618d85c3223c83This Metasploit module exploits a file upload vulnerability in Kace K1000 versions 5.0 to 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 which allows unauthenticated users to execute arbitrary commands under the context of the 'www' user. This Metasploit module also abuses the 'KSudoClient::RunCommandWait' function to gain root privileges. This Metasploit module has been tested successfully with Dell KACE K1000 version 5.3.
ce165f4ada05beefea1776978f34c8b9073a363082d4e2c9070aa0d2aed7d73dThis Metasploit module exploits a file upload vulnerability in D-Link DCS-931L network cameras. The setFileUpload functionality allows authenticated users to upload files to anywhere on the file system, allowing system files to be overwritten, resulting in execution of arbitrary commands. This Metasploit module has been tested successfully on a D-Link DCS-931L with firmware versions 1.01_B7 (2013-04-19) and 1.04_B1 (2014-04-21). D-Link DCS-930L, DCS-932L, DCS-933L models are also reportedly affected, but untested.
c85dbfd5bafc99162dc8561e5db898e4cfbb36756d3c4d4763c20bae09a13a20This Metasploit module exploits a remote arbitrary file write vulnerability in SolidWorks Workgroup PDM 2014 SP2 and prior. For targets running Windows Vista or newer the payload is written to the startup folder for all users and executed upon next user logon. For targets before Windows Vista code execution can be achieved by first uploading the payload as an exe file, and then upload another mof file, which schedules WMI to execute the uploaded payload. This Metasploit module has been tested successfully on SolidWorks Workgroup PDM 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).
555ceedf2a25fd70fef94c9ae70c8626ff642d286be5b686e2bf20bc82d0820aThis Metasploit module exploits a file upload vulnerability found in Simple E-Document versions 3.0 to 3.1. Attackers can bypass authentication and abuse the upload feature in order to upload malicious PHP files which results in arbitrary remote code execution as the web server user. File uploads are disabled by default.
6e99abeb1415d8df56dfb483b3ab125f1112848d4094f7b300a31eecd774a5f1This Metasploit module exploits a SQL injection vulnerability in Kimai version 0.9.2.x. The 'db_restore.php' file allows unauthenticated users to execute arbitrary SQL queries. This Metasploit module writes a PHP payload to disk if the following conditions are met: The PHP configuration must have 'display_errors' enabled, Kimai must be configured to use a MySQL database running on localhost; and the MySQL user must have write permission to the Kimai 'temporary' directory.
853a61dfd6df69f1dd037fceb6af76d6aa56c0b508cd161484f30988de0f9da7This Metasploit module exploits a PHP code execution vulnerability in the 'neoclassic' skin for ProcessMaker Open Source which allows any authenticated user to execute PHP code. The vulnerable skin is installed by default in version 2.x and cannot be removed via the web interface.
eb45ad4835f0136226472801ecf8d83ecfdfe22caa02b7f28a680a48e9232df6This Metasploit module exploits a command execution vulnerability in WebTester version 5.x. The 'install2.php' file allows unauthenticated users to execute arbitrary commands in the 'cpusername', 'cppassword' and 'cpdomain' parameters.
dfea5435bcc036d47d5c594f95500152ab31c0d3ee607b8a70a2b6f399effb39This Metasploit module uses the VMware Hyperic HQ Groovy script console to execute OS commands using Java. Valid credentials for an application administrator user account are required. This Metasploit module has been tested successfully with Hyperic HQ 4.6.6 on Windows 2003 SP2 and Ubuntu 10.04 systems.
f310cc67584ebfece0fb02e5b0b15c7748e4537dd7eb3d17e3d681399a54630cThis Metasploit module exploits a vulnerability in MiniWeb HTTP server (build 300). The software contains a file upload vulnerability that allows an unauthenticated remote attacker to write arbitrary files to the file system. Code execution can be achieved by first uploading the payload to the remote machine as an exe file, and then upload another mof file, which enables WMI (Management Instrumentation service) to execute the uploaded payload. Please note that this module currently only works for Windows before Vista.
b4d11d94bdfda21fed51296f5789bea65f23c1f03f5b7bd525895268f5a560b0This Metasploit module exploits a file upload vulnerability in Glossword versions 1.8.8 through 1.8.12 when run as a standalone application. This application has an upload feature that allows an authenticated user with administrator roles to upload arbitrary files to the 'gw_temp/a/' directory.
6a00fc56bffca149e62d8602fbecdb81bf01e94e53c11f7eba4da3baed5c74a4This Metasploit module exploits a vulnerability in Kordil EDMS version 2.2.60rc3. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the '/kordil_edms/userpictures/' directory.
c33960b0a5838ddb0853afe03218b7db5ca3b95debdf3a837b3c39d718e797fcThis Metasploit module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the 'includes/actions.php' file calls 'exec()' with user controlled data from the 'runState' parameter.
aab8ea5a52b4b1c07ba62aed307dd92f1f1c1d23d97428d0d5e53e113be8bd88This Metasploit module exploits an authentication bypass vulnerability in eXtplorer versions 2.1.0 to 2.1.2 and 2.1.0RC5 when run as a standalone application. This application has an upload feature that allows an authenticated user with administrator roles to upload arbitrary files to any writable directory in the web root. This Metasploit module uses an authentication bypass vulnerability to upload and execute a file.
8483dda079be04a44863b410b51eecbb3374b00177e8c973282a9974a2918555This Metasploit module exploits a vulnerability in ZEN Load Balancer version 2.0 and 3.0-rc1 which could be abused to allow authenticated users to execute arbitrary code under the context of the 'root' user. The 'content2-2.cgi' file uses user controlled data from the 'filelog' parameter within backticks.
00bb887bb0df418300d4b44bcb42abfdd700d3c405ec1e719a786661df083664This Metasploit module exploits a vulnerability in Openfiler version 2.x which could be abused to allow authenticated users to execute arbitrary code under the context of the 'openfiler' user. The 'system.html' file uses user controlled data from the 'device' parameter to create a new 'NetworkCard' object. The class constructor in 'network.inc' calls exec() with the supplied data. The 'openfiler' user may 'sudo /bin/bash' without providing a system password.
ef6788fdc2bbdb21b278fd22582c6c12fb18b12cc2341fe8561207bf69d634a8This Metasploit module exploits a command execution vulnerability in WAN Emulator version 2.3 which can be abused to allow unauthenticated users to execute arbitrary commands under the context of the 'www-data' user. The 'result.php' script calls shell_exec() with user controlled data from the 'pc' parameter. This Metasploit module also exploits a command execution vulnerability to gain root privileges. The 'dosu' binary is suid 'root' and vulnerable to command execution in argument one.
1fb42426dc819635f534f9d0dfa8faeb1296d0151e8ddec91cb563bd1c4e5011This Metasploit module exploits a vulnerability in TestLink versions 1.9.3 and prior. This application has an upload feature that allows any authenticated user to upload arbitrary files to the '/upload_area/nodes_hierarchy/' directory with a randomized file name. The file name can be retrieved from the database using SQL injection.
d7801d84f2c0b381a4eab2c495d1007bc1e69f64d876b88ff24732a4755a2f71This Metasploit module exploits a vulnerability in CuteFlow version 2.11.2 or prior. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the 'upload/___1/' directory and then execute it.
7e52dec1e5036e52df909f5beaef31339c50c613b21624d2406a52176b941892Useresponse versions 1.0.2 and below suffer from a backdoor account, cross site request forgery, and code execution vulnerabilities. Full exploit provided.
1e595bde09d53da1af5b8c9a1f80c9232d1dcaea0fb89a038ec47ceab924e6c0ActivDesk versions 3.0 and below suffer from cross site scripting and remote SQL injection vulnerabilities.
a7778d0541ba75869037aec9eee20bacd9e041891256482f196ecb1620ed068aiSupport version 1.8 suffers from a remote SQL injection vulnerability.
2b710744b5d40ea4085cc2528feab9d2b8211d10b452dac2c9cbbb977f110275
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed