what you don't know can hurt you
Showing 26 - 50 of 100 RSS Feed

Files

SonicWall SMA 100 Series Authenticated Command Injection
Posted Jan 13, 2022
Authored by jbaines-r7 | Site metasploit.com

This Metasploit module exploits an authenticated command injection vulnerability in the SonicWall SMA 100 series web interface. Exploitation results in command execution as root. The affected versions are 10.2.1.2-24sv and below, 10.2.0.8-37sv and below, and 9.0.0.11-31sv and below.

tags | exploit, web, root
advisories | CVE-2021-20039
SHA-256 | 0ce8774c4d2bc66ac41f71ecbff4807d4b19a6c901b562b9cc8fa6b0d492c6be

Related Files

Windows Escalate Task Scheduler XML Privilege Escalation
Posted Jul 19, 2012
Authored by jduck | Site metasploit.com

This Metasploit module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2010-3338, OSVDB-68518
SHA-256 | d58b245a3284a4c3a0c953e6cd974d43047680186d9ff32f042bd97e492059fb
Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow
Posted Jul 19, 2012
Authored by Stephen Fewer, juan | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x06 (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).

tags | exploit, remote, overflow, tcp
systems | windows
advisories | OSVDB-65361
SHA-256 | d8e51661349a2d58c55ebba98e0aab7bf40252bcd11e9570670dbb09e98a4244
Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow
Posted Jul 19, 2012
Authored by Stephen Fewer, juan | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x21 (PROXY_CMD_FTP_FILE) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).

tags | exploit, remote, overflow, tcp
systems | windows
advisories | OSVDB-65361
SHA-256 | 10965ccc1d7f3bdfb1cdc1edf6199b5eb01250bbec68ab0ee4cf54ba20262a61
Setuid Nmap Exploit
Posted Jul 19, 2012
Authored by egypt | Site metasploit.com

Nmap's man page mentions that "Nmap should never be installed with special privileges (e.g. suid root) for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This Metasploit module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.

tags | exploit, root, perl, ruby
systems | unix
SHA-256 | 36e5626623975013ad17de674718bb242f7551a7c65755515d9aab44a7aa57ea
ALLMediaServer 0.8 Buffer Overflow
Posted Jul 16, 2012
Authored by modpr0be, juan vazquez, motaz reda | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't reliable across virtual (VMWare, VirtualBox) and physical environments. Because of this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default DEP is OptIn and AllMediaServer won't run with DEP.

tags | exploit, web, overflow
systems | windows
SHA-256 | cd224eb091bd83cac2f6867238fdeea0e253250295ed9b0257c0173e71de0311
Siemens Simatic S7-1200 CPU START/STOP Module
Posted Jul 16, 2012
Authored by Dillon Beresford | Site metasploit.com

The Siemens Simatic S7-1200 S7 CPU start and stop functions over ISO-TSAP this modules allows an attacker to perform administrative commands without authentication. This Metasploit module allows a remote user to change the state of the PLC between STOP and START, allowing an attacker to end process control by the PLC.

tags | exploit, remote
SHA-256 | 209515171372e815da32934ab41fdd5f1c336d22022bec1c97308a5b5097d4c3
Siemens Simatic S7-300/400 CPU START/STOP Module
Posted Jul 16, 2012
Authored by Dillon Beresford | Site metasploit.com

The Siemens Simatic S7-300/400 S7 CPU start and stop functions over ISO-TSAP this modules allows an attacker to perform administrative commands without authentication. This Metasploit module allows a remote user to change the state of the PLC between STOP and START, allowing an attacker to end process control by the PLC.

tags | exploit, remote
SHA-256 | e012c156c46c53f51452c321377eed31d2bcff3d14db2c6ffe938003af648fc7
Siemens Simatic S7-300 PLC Remote Memory Viewer
Posted Jul 14, 2012
Authored by Dillon Beresford | Site metasploit.com

This Metasploit module attempts to authenticate using a hard-coded backdoor password in the Simatic S7-300 PLC and dumps the device memory using system commands.

tags | exploit
SHA-256 | d6907293e454a396426319c60a1d46ca00f48f5825d6033b2984938b778a4ca1
WordPress Generic Plugin Shell Upload
Posted Jul 13, 2012
Authored by KedAns-Dz

This Metasploit module exploits an arbitrary PHP File Upload and Code Execution flaw in some WordPress blog software plugins. The vulnerability allows for arbitrary file upload and remote code execution POST Data to Vulnerable Script/File in the plugin.

tags | exploit, remote, arbitrary, php, code execution, file upload
SHA-256 | b0f467c2f9513aea9fd89d25f94d00be23be09c42cfc54f3bbc14d023bf918cf
Hastymail 2.1.1 RC1 Command Injection
Posted Jul 13, 2012
Authored by juan vazquez, Bruno Teixeira | Site metasploit.com

This Metasploit module exploits a command injection vulnerability found in Hastymail 2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on the "lib/ajax_functions.php" script. Authentication is required on Hastymail in order to exploit the vulnerability. The module has been successfully tested on Hastymail 2.1.1 RC1 over Ubuntu 10.04.

tags | exploit, php
systems | linux, ubuntu
advisories | CVE-2011-4542, OSVDB-77331
SHA-256 | fbe0eb9dcf16cdfa75230cc4026bda4f995b4a74618b8b0e9dd91eba2de87e03
Java Applet Field Bytecode Verifier Cache Remote Code Execution
Posted Jul 10, 2012
Authored by Stefan Cornelius, sinn3r, juan vazquez, littlelightlittlefire, mihi | Site metasploit.com

This Metasploit module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

tags | exploit
advisories | CVE-2012-1723, OSVDB-82877
SHA-256 | d0f87e2217146b16aef1f52fdc1199e419212c967c36b2332599cb9bbc44e022
AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution
Posted Jul 9, 2012
Authored by rgod, juan | Site metasploit.com

This Metasploit module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run arbitrary commands on the victim machine. This Metasploit module has been successfully tested with the ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.

tags | exploit, remote, arbitrary, activex
systems | windows
advisories | CVE-2011-2657, OSVDB-76700
SHA-256 | 56cf9879c132897ee3261274e09284b0d6081bb9dd195db9cee39698cd90dbba
Poison Ivy 2.3.2 C&C Server Buffer Overflow
Posted Jul 6, 2012
Authored by juan vazquez, Gal Badishi, Andrzej Dereszowski | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The exploit does not need to know the password chosen for the bot/server communication. If the C&C is configured with the default 'admin' password, the exploit should work fine. In case of the C&C configured with another password the exploit can fail. The 'check' command can be used to determine if the C&C target is using the default 'admin' password. Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread responsible of handling the connection. Because of this the module provides the RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header will be used. If the bruteforce target is selected, a random header will be sent in case the default for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a session obtained.

tags | exploit, overflow
SHA-256 | a5fb5f9fb5256f9b9ed0a73d71160bd6699b2d23e1947554a86a9c745e5bff43
Umbraco CMS Remote Command Execution
Posted Jul 6, 2012
Authored by juan vazquez, Toby Clarke | Site metasploit.com

This Metasploit module can be used to execute a payload on Umbraco CMS 4.7.0.378. The payload is uploaded as an ASPX script by sending a specially crafted SOAP request to codeEditorSave.asmx, which permits unauthorised file upload via the SaveDLRScript operation. SaveDLRScript is also subject to a path traversal vulnerability, allowing code to be placed into the web-accessible /umbraco/ directory. The module writes, executes and then overwrites an ASPX script; note that though the script content is removed, the file remains on the target. Automatic cleanup of the file is intended if a meterpreter payload is used. This Metasploit module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows 7 32-bit SP1. In this scenario, the "IIS APPPOOL\ASP.NET v4.0" user must have write permissions on the Windows Temp folder.

tags | exploit, web, asp, file upload
systems | windows
SHA-256 | a969edd9061df64ff92c55db7b277da617626bfa9448eab4978dfbd56a0d42bb
Tiki Wiki <= 8.3 unserialize() PHP Code Execution
Posted Jul 6, 2012
Authored by EgiX, juan vazquez | Site metasploit.com

This Metasploit module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php version older than 5.3.4 must be used to allow poison null bytes in filesystem related functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.

tags | exploit, web, arbitrary, php
systems | linux, ubuntu
advisories | CVE-2012-0911
SHA-256 | 04e6daabf6b6a5dba1b8fa576bc4f910b4df1c7b90652847142a832796744523
Basilic 1.5.14 diff.php Arbitrary Command Execution
Posted Jul 6, 2012
Authored by Larry W. Cashdollar, sinn3r, juan vasquez | Site metasploit.com

This Metasploit module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account.

tags | exploit, arbitrary, php
SHA-256 | 80e3ce82a2d97fa36f0665883aecc56cc126a901567bd0c4251832c7ded7ffe7
IBM Rational ClearQuest CQOle Remote Code Execution
Posted Jul 3, 2012
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest versions prior to 7.1.1.9, 7.1.2.6 or 8.0.0.2 which allows reliable remote code execution when DEP is not enabled.

tags | exploit, remote, code execution, activex
advisories | CVE-2012-0708, OSVDB-81443
SHA-256 | 387ecb02a357ac85525e1e50243fe56012c1987ea3f8ba4a3ee336ab0fb98ed5
HP Data Protector Create New Folder Buffer Overflow
Posted Jul 2, 2012
Authored by sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this insecure copy. Because of this, this module uses egg hunting to search a non corrupted copy of the payload in the heap. On the other hand the overflowed buffer is stored in a frame protected by stack cookies, because of this SEH handler overwrite is used. Any user of HP Data Protector Express is able to create new folders and trigger the vulnerability. Moreover, in the default installation the 'Admin' user has an empty password. Successful exploitation will lead to code execution with the privileges of the "dpwinsdr.exe" (HP Data Protector Express Domain Server Service) process, which runs as SYSTEM by default.

tags | exploit, overflow, code execution
advisories | CVE-2012-0124, OSVDB-80105
SHA-256 | 962411e193e7b384adfe805773b642d125d223dcbeecdc498ef53de2cbc5c202
Irfanview JPEG2000 4.3.2.0 jp2 Stack Buffer Overflow
Posted Jul 2, 2012
Authored by Parvez Anwar, mr_me, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow vulnerability in versions 4.3.2.0 and below of Irfanview's JPEG2000.dll plugin. This exploit has been tested on a specific version of irfanview (v4.3.2), although other versions may work also. The vulnerability is triggered via parsing an invalid qcd chunk structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon and drag/drop the file into Irfanview\'s window. An egg hunter is used for stability.

tags | exploit, overflow
advisories | CVE-2012-0897, OSVDB-78333
SHA-256 | c5cce711dbd4abe77f358a5360b9fd21367c38e3811ab24c191fb5a02cb79609
Apple QuickTime TeXML Stack Buffer Overflow
Posted Jun 29, 2012
Authored by sinn3r, Alexander Gavrun, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. The flaw is generally known as a bug while processing the 'transform' attribute, however, that attack vector seems to only cause a TerminateProcess call due to a corrupt stack cookie, and more data will only trigger a warning about the malformed XML file. This Metasploit module exploits the 'color' value instead, which accomplishes the same thing.

tags | exploit, overflow, arbitrary, code execution
systems | apple
advisories | CVE-2012-0663, OSVDB-81934
SHA-256 | c3e73b5fb622e5d0d8dee9cca23a811ec375673bedd92228a5733bc9287c407b
Openfire Admin Console Authentication Bypass
Posted Jun 29, 2012
Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This Metasploit module has been tested against Openfire 3.6.0a. It is possible to remove the uploaded plugin after execution, however this might turn the server in some kind of unstable state, making re-exploitation difficult. You might want to do this manually.

tags | exploit, java, arbitrary, bypass
advisories | CVE-2008-6508, OSVDB-49663
SHA-256 | f96c770e59d9d05308428a0fe45cb31107b3064402edcf2653bd604b617ffe44
SugarCRM 6.3.1 unserialize() PHP Code Execution
Posted Jun 27, 2012
Authored by EgiX, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a php unserialize() vulnerability in SugarCRM versions 6.3.1 and below which could be abused to allow authenticated SugarCRM users to execute arbitrary code with the permissions of the webserver. The dangerous unserialize() exists in the 'include/MVC/View/views/view.list.php' script, which is called with user controlled data from the 'current_query_by_page' parameter. The exploit abuses the __destruct() method from the SugarTheme class to write arbitrary PHP code to a 'pathCache.php' on the web root.

tags | exploit, web, arbitrary, root, php
advisories | CVE-2012-0694
SHA-256 | 1e73a4a4f9bf312d43feeea95213bce49f5dcf97660320b96cca53b8c0f4ba3d
Adobe Flash Player Object Type Confusion
Posted Jun 23, 2012
Authored by sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 "_error" response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "World Uyghur Congress Invitation.doc" e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2012-0779, OSVDB-81656
SHA-256 | 278d32f3bc7f3344e48d9ed25bcb65be25041499b78ba981e26d568f755202ee
iTunes Extended M3U Stack Buffer Overflow
Posted Jun 21, 2012
Authored by Rh0 | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an "#EXTINF:" tag description, iTunes will copy the content after "#EXTINF:" without appropriate checking from a heap buffer to a stack buffer and write beyond the stack buffers boundary. This allows arbitrary code execution. The Windows XP target has to have QuickTime 7.7.2 installed for this module to work. It uses a ROP chain from a non safeSEH enabled DLL to bypass DEP and safeSEH. The stack cookie check is bypassed by triggering a SEH exception.

tags | exploit, overflow, arbitrary, code execution
systems | windows
SHA-256 | 9ae85a7f65f089284af05d455b2e76edf1411cf55e1aa37c56ec9d74328747ac
Adobe Flash Player AVM Verification Logic Array Indexing Code Execution
Posted Jun 20, 2012
Authored by mr_me | Site metasploit.com

This Metasploit module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for attacks against Korean based organizations. Specifically, this issue occurs when indexing an array using an arbitrary value, memory can be referenced and later executed. Taking advantage of this issue does not rely on heap spraying as the vulnerability can also be used for information leakage. Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and is very reliable.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2011-2110, OSVDB-48268
SHA-256 | e26bbead67100b455a3fddb8cfcf7df0baddef6b4fbc68f4cc261a2c4dea9972
Page 2 of 4
Back1234Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close