what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

Webmin 1.920 Remote Code Execution
Posted Sep 15, 2019
Authored by BoSSaLiNiE

Webmin version 1.920 remote code execution exploit that leverages the vulnerability noted in CVE-2019-15107.

tags | exploit, remote, code execution
advisories | CVE-2019-15107
SHA-256 | 233192a3d19175ea1314a59b24a433a47278e7d0fd3f5a72f4fdeb8334763b0e

Related Files

Webmin 1.984 File Manager Remote Code Execution
Posted Nov 2, 2022
Authored by jheysel-r7, faisalfs10x | Site metasploit.com

In Webmin version 1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions. It is possible to achieve remote code execution via a crafted .cgi file by chaining those functionalities in the file manager.

tags | exploit, remote, cgi, code execution
advisories | CVE-2022-0824
SHA-256 | 174516108c4d106859887c676523c5bd94d8fe133ba6657e421890c8d9f7ef89
Webmin Package Updates Command Injection
Posted Aug 10, 2022
Authored by Christophe de la Fuente, Emir Polat | Site metasploit.com

This Metasploit module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager (apt, yum, etc.) to perform package updates and installation. Due to a lack of input sanitization, it is possible to inject an arbitrary command that will be concatenated to the package manager call. This exploit requires authentication and the account must have access to the Software Package Updates module.

tags | exploit, arbitrary
advisories | CVE-2022-36446
SHA-256 | 40335e81c5e1920c59b3fa7d7b9555cf342eefb7151f937070f230f69f2b8ee3
Webmin 1.996 Remote Code Execution
Posted Aug 1, 2022
Authored by Emir Polat

Webmin version 1.996 suffers from an authenticated remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2022-36446
SHA-256 | a89c83a46baf912bad79b59cea2c4954e3ac100a48e421ae4b7e8c04fc532526
Print Spooler Remote DLL Injection
Posted May 25, 2022
Authored by Christophe de la Fuente, Spencer McIntyre, Zhiniang Peng, cube0x0, Xuefeng Li, Zhang Yunhai, Piotr Madej, Zhipeng Huo | Site metasploit.com

The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.

tags | exploit, remote, code execution
advisories | CVE-2021-1675, CVE-2021-34527
SHA-256 | 1720ad267b345d6b91409cdb01c0ab129fc9f485ac71c4c4a816698bd6351239
Webmin 1.984 Remote Code Execution
Posted Mar 9, 2022
Authored by faisalfs10x

Webmin version 1.984 authenticated remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2022-0824
SHA-256 | 7286890f523f72cddacdb1075dae1a9d259f00e38f0108409ebfb8be0654690a
Ubuntu Overlayfs Local Privilege Escalation
Posted Dec 3, 2021
Authored by bwatters-r7, ssd-disclosure | Site metasploit.com

This Metasploit module exploits a vulnerability in Ubuntu's implementation of overlayfs. The vulnerability is the result of failing to verify the ability of a user to set the attributes in a running executable. Specifically, when Overlayfs sends the set attributes data to the underlying file system via vfs_setxattr, it fails to first verify the data by calling cap_convert_nscap. This vulnerability was patched by moving the call to cap_convert_nscap into the vfs_setxattr function that sets the attribute, forcing verification every time the vfs_setxattr is called rather than trusting the data was already verified.

tags | exploit
systems | linux, ubuntu
advisories | CVE-2021-3493
SHA-256 | db2db701a06e20ebab9c0759df9c3b43a3146ecf6b60cce3c13e3d0541420302
Microsoft OMI Management Interface Authentication Bypass
Posted Oct 28, 2021
Authored by Spencer McIntyre, wvu, Nir Ohfeld, Shir Tamari | Site metasploit.com

By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).

tags | exploit, web, root
advisories | CVE-2021-38647
SHA-256 | fdef0aef0e912b6be1749a8d91235a8ce5f95d8c64ee36efaa66917951a81206
Linux eBPF ALU32 32-bit Invalid Bounds Tracking Local Privilege Escalation
Posted Sep 1, 2021
Authored by Grant Willcox, chompie1337, Manfred Paul | Site metasploit.com

Linux kernels from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and 5.10.37 are vulnerable to a bug in the eBPF verifier's verification of ALU32 operations in the scalar32_min_max_and function when performing AND operations, whereby under certain conditions the bounds of a 32 bit register would not be properly updated. This can be abused by attackers to conduct an out of bounds read and write in the Linux kernel and therefore achieve arbitrary code execution as the root user. The target system must be compiled with eBPF support and not have kernel.unprivileged_bpf_disabled set, which prevents unprivileged users from loading eBPF programs into the kernel. Note that if kernel.unprivileged_bpf_disabled is enabled this module can still be utilized to bypass protections such as SELinux, however the user must already be logged as a privileged user such as root.

tags | exploit, arbitrary, kernel, root, code execution
systems | linux
advisories | CVE-2021-3490
SHA-256 | 72309dfd15f65e29e815be3b1add6fc3b2c2baad6cb3b01ac2bbfff15a8b2c9d
Webmin 1.973 Cross Site Request Forgery
Posted Jul 20, 2021
Authored by Mesh3l_911, Z0ldyck

Webmin version 1.973 cross site request forgery exploit that loads a reverse shell.

tags | exploit, shell, csrf
advisories | CVE-2021-31761
SHA-256 | 8a316a9307c0d4b3b8fa1f3bb02ab7e2a5d250b7b981658538c23e171ca98d24
Webmin 1.973 Cross Site Request Forgery
Posted Jul 14, 2021
Authored by Mesh3l_911, Z0ldyck

Webmin version 1.973 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
advisories | CVE-2021-31762
SHA-256 | 6584fbea56cb36aed6cf20c070f41684482266289815df1aa41748fc786befa2
ForgeRock / OpenAM Jato Java Deserialization
Posted Jul 13, 2021
Authored by Spencer McIntyre, Michael Stepankin, bwatters-r7, jheysel-r7 | Site metasploit.com

This Metasploit module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user. This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and thus is susceptible to the same issue.

tags | exploit, java, remote, code execution
advisories | CVE-2021-35464
SHA-256 | 7ab7e165e1eabb4c0774d5b02fa501308e44a10ac91af40c1b4ed6a62fc60ca6
Dell DBUtil_2_3.sys IOCTL Memory Read / Write
Posted May 17, 2021
Authored by Spencer McIntyre, SentinelLabs, Kasif Dekel | Site metasploit.com

The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker to read and write kernel-mode memory.

tags | exploit, kernel
advisories | CVE-2021-21551
SHA-256 | 60c28ef1ac35891f12da2b7098fca05a34362d8c69f7050055509277585d70ab
SAP Solution Manager 7.2 Remote Command Execution
Posted Mar 26, 2021
Authored by Dmitry Chastuhin, Pablo Artuso, Vladimir Ivanov, Yvan Genuer | Site metasploit.com

This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents allowing an attacker to send HTTP requests (SSRF) and execute OS commands on the connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation will allow unauthenticated remote attackers to get a reverse shell from connected to the SolMan agent as the user under which it runs SMDAgent service, which is usually daaadm.

tags | exploit, java, remote, web, shell
advisories | CVE-2020-6207
SHA-256 | 0d5122d6fb0ba7f681b7229fc5c197780b51710c6395404115ad8686072b2b08
Win32k ConsoleControl Offset Confusion
Posted Mar 19, 2021
Authored by Spencer McIntyre, BITTER APT, LiHao, KaLendsi, MaDongZe, TuXiaoYi, JinQuan | Site metasploit.com

A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation.

tags | exploit
advisories | CVE-2021-1732
SHA-256 | ed073b3c17d4f49ffa13834abab3bf326257f8e012a4c37b26486bc312e9e80d
Microsoft Spooler Local Privilege Elevation
Posted Jan 18, 2021
Authored by bwatters-r7, Peleg Hadar, sailay1996, 404death, Tomer Bar | Site metasploit.com

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.

tags | exploit
advisories | CVE-2020-1337
SHA-256 | 88e1248d5e21e3a00dd23e98ab5d2075610af6a2f071e96ac3de2656c5624198
Cloud Filter Arbitrary File Creation / Privilege Escalation
Posted Jan 12, 2021
Authored by Grant Willcox, James Foreshaw | Site metasploit.com

This Metasploit module exploits a vulnerability in cldflt.sys. The Cloud Filter driver on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.

tags | exploit, code execution
systems | windows
advisories | CVE-2020-1170, CVE-2020-17136
SHA-256 | 5bdffeb4ef0091f8099814e9f3a61b1346960497efc651c7566901fb62b98d96
Webmin 1.962 Remote Command Execution
Posted Dec 22, 2020
Authored by AkkuS | Site metasploit.com

This Metasploit module exploits an arbitrary command execution vulnerability in Webmin 1.962 and lower versions. Any user authorized to the Package Updates module can execute arbitrary commands with root privileges. It emerged by circumventing the measure taken for CVE-2019-12840.

tags | exploit, arbitrary, root
advisories | CVE-2020-35606
SHA-256 | 0b9d3eed2396c63f8c369c41bb33853aea8748348ce034096856277e638001d6
Microsoft Windows DrawIconEx Local Privilege Escalation
Posted Dec 15, 2020
Authored by timwr, bee13oy, Yoav Alon, Netanel Ben-Simon | Site metasploit.com

This Metasploit module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx within win32k. The out of bounds write can be used to overwrite the pvbits of a SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against a fully updated Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows.

tags | exploit, arbitrary, kernel, code execution
systems | windows
advisories | CVE-2020-1054
SHA-256 | 868acae66ad56703c17e3c65ef2f0fd90bad10c8ec6f9816219080fe42106f93
Microsoft Windows Uninitialized Variable Local Privilege Escalation
Posted Oct 15, 2020
Authored by timwr, unamer, piotrflorczyk | Site metasploit.com

This Metasploit module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability within win32k which occurs due to an uninitialized variable, which allows user mode attackers to write a limited amount of controlled data to an attacker controlled address in kernel memory. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. The exploit can only be triggered once against the target and can cause the target machine to reboot when the session is terminated.

tags | exploit, arbitrary, kernel, code execution
systems | windows
advisories | CVE-2019-1458
SHA-256 | 965825e462e62b73a8b4edd4aeb9b9d17c52ab810644e44a21ae2613d7a92025
Microsoft Windows Update Orchestrator Unchecked ScheduleWork Call
Posted Sep 28, 2020
Authored by Imre Rad, bwatters-r7 | Site metasploit.com

This Metasploit module exploit uses access to the UniversalOrchestrator ScheduleWork API call which does not verify the caller's token before scheduling a job to be run as SYSTEM. You cannot schedule something in a given time, so the payload will execute as system sometime in the next 24 hours.

tags | exploit
advisories | CVE-2020-1313
SHA-256 | 3a60a69dcbeb7de997adcc7d739647b41b00df07ef99e3f346dd78c5b1f47616
Microsoft Spooler Local Privilege Elevation
Posted Sep 17, 2020
Authored by bwatters-r7, shubham0d, Yarden Shafir, Alex Ionescu | Site metasploit.com

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.

tags | exploit
advisories | CVE-2020-1048
SHA-256 | 042eb96d4be3493ee746dfaae2491220ba9b12278e37c6ccaaa1b2d1f175f42f
AnyDesk GUI Format String Write
Posted Jul 2, 2020
Authored by Spencer McIntyre, scryh | Site metasploit.com

The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.

tags | exploit
advisories | CVE-2020-13160
SHA-256 | 3a9a77f3da97e3fa3eabb2ff840fb3ea885747038fdb66fcbcb8f64ab38332f4
Background Intelligent Transfer Service Privilege Escalation
Posted Jun 11, 2020
Authored by itm4n, gwillcox-r7 | Site metasploit.com

This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking issue within the Update Session Orchestrator Service. Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, so your mileage may vary on Windows Server 2016 and later.

tags | exploit, arbitrary, code execution
systems | windows
advisories | CVE-2020-0787
SHA-256 | 881389db7516cd93002413a591d878987421d6e664f4be1ea349fe9d3d4000cf
Service Tracing Privilege Escalation
Posted May 8, 2020
Authored by bwatters-r7, itm4n | Site metasploit.com

This Metasploit module leverages a trusted file overwrite with a dll hijacking vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64 targets.

tags | exploit
systems | windows
advisories | CVE-2020-0668
SHA-256 | c361a1c2decc4120fb83b82770836ac6e075d3657ad91fe7ca2189c9dd6ec994
SMBv3 Compression Buffer Overflow
Posted Apr 6, 2020
Authored by Spencer McIntyre, Daniel Garcia Gutierrez, Manuel Blanco Parajon | Site metasploit.com

A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.

tags | exploit, local, protocol
advisories | CVE-2020-0796
SHA-256 | b897523218de261b528a25b48e985e91f958585e7ae9753a0c897e339abe8503
Page 1 of 4
Back1234Next

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close