MacOSX/PowerPC 72 byte shellcode for execve /bin/sh.
ac91044711def1684cd5a9b2453d14c329e8a338863ce7e44ec4589f10d91bdeThis Metasploit module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm configuration wizards that allow an authenticated user to perform remote code execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user. Valid credentials for a Nagios XI user are required. This module has been successfully tested against official NagiosXI OVAs versions 5.5.6 through 5.7.5.
e1e14a22eb63b8baf6d8bc7b7a7a42d07a444dd4ad650863cfe3c7cce4239771This Metasploit module serves an OSX app (as a zip) that contains no Info.plist, which bypasses gatekeeper in macOS versions prior to 11.3. If the user visits the site on Safari, the zip file is automatically extracted, and clicking on the downloaded file will automatically launch the payload. If the user visits the site in another browser, the user must click once to unzip the app, and click again in order to execute the payload.
63462c2e64d7852458a439220123a2d9aea8f3c2506a1452879ec40fef583f4fCode16 is a compilation of notes from research performed by Cody16. This issue discusses hunting zero days and NagiosXI version 5.8.1.
9d08170ca7e8368c7ed6054ce28231b1a7a290e48949e6483a5248bac54fd78dNagiosXL version 5.6.11 post authentication orderby parameter remote SQL injection exploit.
5b7280585819afb90f9056b2f48942ba062dc884bc0991afeaddcc45f7440a4fNagiosXI version 5.6.11 post authentication start, end, and step parameter remote code execution exploit.
031602c56f2aaed8028f670cedf7bcaeea0adc9a27dbd5faa77afcb3ff87e286NagiosXI version 5.6.11 post authentication address parameter remote code execution exploit.
428cf9e7378b1a7c753e11aa12708d599dc69c144f7915dad4f27913824c00ebThis is a whitepaper tutorial that describes steps taken to identify post-authentication remote command execution vulnerabilities in NagiosXI version 5.6.11.
c13f3213213baa28e248e4dc73e332bc336b5d187686a95ad2ef8b57a7b36938This is a whitepaper tutorial that walks through creating a proof of concept exploit for a remote command execution vulnerability in NagiosXI version 5.6.
8cd9a562fc422fbab693c7375a6d77afbff17c5e7e25cd997d8290beae82bbe2This Metasploit module exploits a command injection in TimeMachine on macOS <= 10.14.3 in order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers from a command injection vulnerability that can be exploited by creating a specially crafted disk label. The tmdiagnose binary uses awk to list every mounted volume, and composes shell commands based on the volume labels. By creating a volume label with the backtick character, we can have our own binary executed with root privileges.
7eb0567032fbb9cfa6bb44edac50bb3c598c094fd089f1288cc6d474ba8add57Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pg_execute_server_program' to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access. This module attempts to create a new table, then execute system commands in the context of copying the command output into the table. This Metasploit module should work on all Postgres systems running version 9.3 and above. For Linux and OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl. For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp. Alternatively target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload or other customized command.
c46a7605f2f59df142894ab93e39c6fbb9ceb49da8db00d316382c22458faf6eThis Metasploit module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys. 3. The API keys are then used to add an administrative user. 4. An authenticated session is established with the newly added user 5. Command Injection on /nagiosxi/backend/index.php allows us to execute the payload with nopasswd sudo, giving us a root shell. 6. Remove the added admin user and reset the database user.
80bee7aa780edc43040bd1dd427fbdb84bcd1f35f74873b32d619a620e07f20cThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of revision 227958 on OSX.
16307c2a076e6eedaa5e405c5a3f96d724981d8afd372bf9e6385efaff3fb94fFortiClient stores the VPN authentication credentials in a configuration file (on Linux or Mac OSX) or in registry (on Windows). The credentials are encrypted but can still be recovered since the decryption key is hardcoded in the program and the same on all installations. Above all, the aforementioned storage is world readable, which actually lays the foundation for the credential recovery. Versions prior to 4.4.2335 on Linux, 5.6.1 on Windows, and 5.6.1 on Mac OSX are vulnerable.
e979475b106297fb2dc050e554be589a58bf126c0e7adb1e3495fc242851917dThis Metasploit module exploits a serious flaw in Mac OS X High Sierra. Any user can login with user "root", leaving an empty password.
dd129338b035d1f1252020b0fcad4403a67d63fb88369b316e4ae2fb47bd5adcsmod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest the modbus protocol. It is a full modbus protocol implementation using Python and Scapy. This software can be run on Linux/OSX under python 2.7.x.
2e05a761bb9cd1d0a9065aee8f768de041e8a46147d86dc93c4cd96fc471e642smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest the modbus protocol. It is a full modbus protocol implementation using Python and Scapy. This software can be run on Linux/OSX under python 2.7.x.
b4b32ad85928b3e1070dab8489ec2677653a4673c05a81f97e61cbbee9170e50The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner. /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment. This exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to create a root-owned file with partially controlled contents at /etc/crontab which gives a rootshell via sudo. Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too.
57369dae3073aa171e586034196b70f67cf18695ca619dddcbe2f77bfce377a934 bytes small NULL byte free OS X x64 /bin/sh shellcode.
62604cfda35d5ea48e784d6b5bfb83d4ce2aa61f09505d7ee7a39833737dc0efMac OS X 10.10.4 (Yosemite) suffers from a keychain-related denial of service vulnerability.
5e5264989ee711ea2cf1f4508b6d73169a2f88b72a97de4b2be4e77d5bfb3214OS X version 10.10 DYLD_PRINT_TO_FILE local privilege escalation proof of concept exploit.
54d151a0576992acbdfc4330c685be0f33834016156eaf6b60eb50e760abfc0cThis Metasploit module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below. The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are insufficient checks on the authentication of all clients, this can be bypassed. Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or SYSTEM privileges. The daemon is installed on both the Arkeia server as well on all the backup clients. The module has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
7b4c0df3265eff7d8bf05b564fe0ba2fea10cec409923415d3a6df2a68832eedMac OS X rootpipe local proof of concept privilege escalation exploit.
146b64bdac5816f848302abe5d0ad8a8ac00a1ef2eb064fcfcdd3a63453c2ee0OS X 10.9.5 IOKit IntelAccelerator suffers from a null pointer dereference vulnerability. This is the proof of concept exploit released by Google.
4eb96b629d8eab7927b29a5ec7a9f92753cd3f849943a9328dda80e152688d6aOS X 10.10 IOKit IntelAccelerator suffers from a null pointer dereference vulnerability. This is the proof of concept exploit released by Google.
57e374097b155cf315fefccfe8009fda73846c7ab656b687d836fb54d450f253OS X networkd "effective_audit_token" XPC type confusion sandbox escape proof of concept exploit.
26000ca21e50478d63a5ca817398f053658a3693b62adac8eb4a3b8c6669b930
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed