what you don't know can hurt you
Showing 1 - 24 of 24 RSS Feed

Files

Windows Persistent Service Installer
Posted Dec 17, 2018
Authored by Green-m | Site metasploit.com

This Module will generate and upload an executable to a remote host and then makes it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required.

tags | exploit, remote
MD5 | 2a69e1c7191b22cc48b06504f4eb3c67

Related Files

AIS Logistics ESEL-Server SQL Injection / Code Execution
Posted Apr 29, 2019
Authored by Manuel Feifel | Site metasploit.com

This Metasploit module will execute an arbitrary payload on an "ESEL" server used by the AIS logistic software. The server typically listens on port 5099 without TLS. There could also be server listening on 5100 with TLS but the port 5099 is usually always open. The login process is vulnerable to an SQL Injection. Usually a MSSQL Server with the 'sa' user is in place. This module was verified on version 67 but it should also run on lower versions. An fixed version was created by AIS in September 2017. However most systems have not been updated. In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed on the firewall. Currently, one delivery method is supported This method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.

tags | exploit, web, arbitrary, sql injection
advisories | CVE-2019-10123
MD5 | 2683e770d74ded7d653c48065da8cf98
RARLAB WinRAR ACE Format Input Validation Remote Code Execution
Posted Apr 24, 2019
Authored by Imran Dawoodjee, Nadav Grossman | Site metasploit.com

In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. This module will attempt to extract a payload to the startup folder of the current user. It is limited such that we can only go back one folder. Therefore, for this exploit to work properly, the user must extract the supplied RAR file from one folder within the user profile folder (e.g. Desktop or Downloads). User restart is required to gain a shell.

tags | exploit, shell
advisories | CVE-2018-20250
MD5 | e92db51f5e14f0fddb4670c8372f4da6
Android su Privilege Escalation
Posted Mar 7, 2019
Site metasploit.com

This Metasploit module uses the su binary present on rooted devices to run a payload as root. A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root. This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a temporary directory, make it executable, execute it in the background, and finally delete the executable. On most devices the su binary will pop-up a prompt on the device asking the user for permission.

tags | exploit, root
MD5 | 3d450f6a5cba9fcc277774bbb95abdb6
Nuuo Central Management SQL Injection
Posted Feb 21, 2019
Authored by Pedro Ribeiro | Site metasploit.com

The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xp_cmdshell can be enabled and abused to achieve code execution. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided.

tags | exploit, code execution
advisories | CVE-2018-18982
MD5 | a6bd69ef31e399150c79831f73918115
VLC Media Player 2.2.8 MKV Use-After-Free
Posted Oct 11, 2018
Authored by Eugene NG, Winston Ho | Site metasploit.com

This Metasploit module exploits a use-after-free vulnerability in VideoLAN VLC versions 2.2.8 and below. The vulnerability exists in the parsing of MKV files and affects both 32 bits and 64 bits. In order to exploit this, this module will generate two files: The first .mkv file contains the main vulnerability and heap spray, the second .mkv file is required in order to take the vulnerable code path and should be placed under the same directory as the .mkv file. This Metasploit module has been tested against VLC v2.2.8. Tested with payloads windows/exec, windows/x64/exec, windows/shell/reverse_tcp, windows/x64/shell/reverse_tcp. Meterpreter payloads if used can cause the application to crash instead.

tags | exploit, shell
systems | windows
advisories | CVE-2018-11529
MD5 | 8a992cc20fa2660fbd011bbae7fa991c
Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
Posted Aug 22, 2017
Authored by b33f, OJ Reeves, Matt Nelson | Site metasploit.com

This Metasploit module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation. This Metasploit module requires the architecture of the payload to match the OS, but the current low-privilege Meterpreter session architecture can be different. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. This Metasploit module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.

tags | exploit, registry
systems | windows
MD5 | 73fea9d04345bcd15b0dc980da1ce0e1
Enigma Fileless UAC Bypass
Posted Jan 9, 2017
Authored by r00t-3xp10it, mattifestation, enigma0x3 | Site metasploit.com

This Metasploit module is an implementation of fileless uac bypass using cmd.exe instead of powershell.exe (OJ msf module). This module will create the required registry entry in the current user's hive, set the default value to whatever you pass via the EXEC_COMMAND parameter, and runs eventvwr.exe (hijacking the process being started to gain code execution).

tags | exploit, registry, code execution
MD5 | 862cbc79ab67b7fbac67a90c5c966e37
ExaGrid Known SSH Key / Default Password
Posted Apr 9, 2016
Authored by egypt | Site metasploit.com

ExaGrid ships a public/private key pair on their backup appliances to allow passwordless authentication to other ExaGrid appliances. Since the private key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. Additionally, this module will attempt to use the default password for root, 'inflection'.

tags | exploit, remote, root
advisories | CVE-2016-1560, CVE-2016-1561
MD5 | 3fbd7e79c9e739bd3384bf1e8d1cadf6
ManageEngine Multiple Products Authenticated File Upload
Posted Jan 20, 2015
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability in ManageEngine ServiceDesk, AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts the upload does not handle correctly '../' sequences, which can be abused to write in the file system. Authentication is needed to exploit this vulnerability, but this module will attempt to login using the default credentials for the administrator and guest accounts. Alternatively you can provide a pre-authenticated cookie or a username / password combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer, SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this module, only ServiceDesk v9 has been fixed in build 9031 and above. This Metasploit module has been been tested successfully in Windows and Linux on several versions.

tags | exploit
systems | linux, windows
advisories | CVE-2014-5301
MD5 | 272a3df924baba786c9fb30f40476d5b
MediaWiki Thumb.php Remote Command Execution
Posted Feb 19, 2014
Authored by Brandon Perry, Ben Harris, Netanel Rubin | Site metasploit.com

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the provided credentials to upload a file (.DjVu) to use for exploitation.

tags | exploit, remote, arbitrary, shell, file upload
advisories | CVE-2014-1610
MD5 | 1b245a0dcb1be275b10e57e681783903
KingScada kxClientDownload.ocx ActiveX Remote Code Execution
Posted Feb 11, 2014
Authored by Andrea Micalizzi, juan vazquez | Site metasploit.com

This Metasploit module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada. The ProjectURL property can be abused to download and load arbitrary DLLs from arbitrary locations, leading to arbitrary code execution, because of a dangerous usage of LoadLibrary. Due to the nature of the vulnerability, this module will work only when Protected Mode is not present or not enabled.

tags | exploit, arbitrary, code execution, activex
advisories | CVE-2013-2827
MD5 | 287d97f2652981fe694264c71eb7c221
Microsoft Internet Explorer SetMouseCapture Use-After-Free
Posted Sep 30, 2013
Authored by sinn3r, temp66 | Site metasploit.com

This Metasploit module exploits a use-after-free vulnerability that targets Internet Explorer 9 on Windows 7. The flaw most likely exists in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and passed on to more functions, eventually arriving in function MSHTML!CTreeNode::GetInterface, and causing a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

tags | exploit, arbitrary, code execution
systems | windows, 7
advisories | CVE-2013-3893, OSVDB-97380
MD5 | 963f37fd3f414ed4fdd3070cd4eb2c8b
Windows Manage Persistent Payload Installer
Posted Feb 11, 2013
Authored by Carlos Perez | Site metasploit.com

This Metasploit module will create a boot persistent reverse Meterpreter session by installing on the target host the payload as a script that will be executed at user logon or system startup depending on privilege and selected startup method.

tags | exploit
MD5 | f0d70b8dc6c98a7adb63cd0e5722ebe7
Windows Escalate Service Permissions Local Privilege Escalation
Posted Oct 15, 2012
Authored by scriptjunkie | Site metasploit.com

This Metasploit module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure file or configuration permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload. This will result in a new session when this succeeds. If the module is able to modify the service but does not have permission to start and stop the affected service, the attacker must wait for the system to restart before a session will be created.

tags | exploit
MD5 | 739899a891144fc176780a8e7feb2d96
FlexNet License Server Manager lmgrd Buffer Overflow
Posted May 22, 2012
Authored by Luigi Auriemma, sinn3r, Alexander Gavrun, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability in the FlexNet License Server Manager. The vulnerability is due to the insecure usage of memcpy in the lmgrd service when handling network packets, which results in a stack buffer overflow. In order to improve reliability, this module will make lots of connections to lmgrd during each attempt to maximize its success.

tags | exploit, overflow
advisories | OSVDB-81899
MD5 | 19d930127fce9ef37c1be58047232c2e
VLC Media Player RealText Subtitle Overflow
Posted Mar 3, 2012
Authored by Tobias Klein, SkD, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack buffer overflow vulnerability in VideoLAN VLC versions prior to 0.9.6. The vulnerability exists in the parsing of RealText subtitle files. In order to exploit this, this module will generate two files: The .mp4 file is used to trick your victim into running. The .rt file is the actual malicious file that triggers the vulnerability, which should be placed under the same directory as the .mp4 file.

tags | exploit, overflow
advisories | CVE-2008-5036, OSVDB-49809
MD5 | f295ecc1bff79f3602400c7e2760ad65
Sun/Oracle GlassFish Server Authenticated Code Execution
Posted Aug 4, 2011
Authored by Joshua D. Abraham, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x this module will try to bypass authentication instead by sending lowercase HTTP verbs.

tags | exploit, java, web
advisories | CVE-2011-0807
MD5 | 06ffb6ce20215f71d9e5d4728ef13549
Microsoft SQL Server Payload Execution via SQL injection
Posted Jan 29, 2011
Authored by Rodrigo Marcos, David Kennedy, jduck | Site metasploit.com

This Metasploit module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens.

tags | exploit, arbitrary, sql injection
advisories | CVE-2000-0402, CVE-2000-1209, OSVDB-15757
MD5 | 56da5422bd1ae1542f656891184e888d
Microsoft SQL Server Payload Execution
Posted Nov 26, 2009
Authored by David Kennedy | Site metasploit.com

This Metasploit module will execute an arbitrary payload on a Microsoft SQL Server, using the Windows debug.com method for writing an executable to disk and the xp_cmdshell stored procedure. File size restrictions are avoided by incorporating the debug bypass method presented at Defcon 17 by SecureState. Note that this module will leave a metasploit payload in the Windows System32 directory which must be manually deleted once the attack is completed.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2000-0402
MD5 | 9fcdfb3e45947625be60d062c78ae1af
Microsoft Windows SMB Relay Code Execution
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\\\\\\\SERVER\\\\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration. It is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, but the "reflection" attack has been effectively broken.

tags | exploit, web, arbitrary
advisories | CVE-2008-4037
MD5 | d205c4ca89f0c3ebef2501ee6f238df5
Samba lsa_io_trans_names Heap Overflow
Posted Oct 27, 2009
Authored by Adriano Lima | Site risesecurity.org

This Metasploit module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".

tags | exploit, overflow
advisories | CVE-2007-2446
MD5 | 8f84f393fa7096a43ae30b92fc8df61d
lsa_transnames_heap-solaris.rb.txt
Posted Jul 26, 2007
Authored by H D Moore, Ramon de C Valle, Adriano Lima | Site risesecurity.org

This Metasploit module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21 through 3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2". Solaris version.

tags | exploit, overflow
systems | solaris
advisories | CVE-2007-2446
MD5 | 9f07c9cd8fd013c9608f103024c1c839
lsa_transnames_heap-linux.rb.txt
Posted Jul 26, 2007
Authored by H D Moore, Ramon de C Valle, Adriano Lima | Site risesecurity.org

This Metasploit module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21 through 3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2". Linux version.

tags | exploit, overflow
systems | linux
advisories | CVE-2007-2446
MD5 | 4f3d9021ab7aeab8ee51f9ee5605ad0c
FG-Injector-0.9a.tar.bz2
Posted Apr 21, 2007
Site flowgate.net

FG-Injector is a tool that leverages the pentester's work by facilitating the exploitation of SQL Injection vulnerabilities. It includes a a powerful proxy feature for intercepting and modifying HTTP requests, a network spy module to allow the analyst view HTTP requests and their corresponding responses and an inference engine for automating SQL injection exploitation. The Inference Engine Module of the FG-Injector Framework automates the generation and injection of SQL statements needed for exploitation of a Blind SQL Injection. This module will work also for regular injections using the same method. It can produce blind injections on web/app servers using MS SQL Server, MySQL, and PostgresSql DBMSs.

tags | web, vulnerability, sql injection
MD5 | bf8954ef2c77f16f70b919e7f9d813a6
Page 1 of 1
Back1Next

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close