exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

Apache Tomcat mod_jk Information Disclosure
Posted Apr 7, 2009
Site tomcat.apache.org

Apache Tomcat mod_jk versions 1.2.0 through 1.2.26 suffer from an information disclosure vulnerability.

tags | advisory, info disclosure
advisories | CVE-2008-5519
SHA-256 | 82a8f73ad304a3a139da882c821b3194c48cbad8270a4c890591b51a66f9f916

Related Files

Linux OverlayFS Local Privilege Escalation
Posted Sep 27, 2024
Authored by Takahiro Yokoyama, xkaneiki, sxlmnwb | Site metasploit.com

This Metasploit module exploit targets the Linux kernel bug in OverlayFS. A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

tags | exploit, kernel, local
systems | linux
advisories | CVE-2023-0386
SHA-256 | 6c56ce8217d90e114635700a314b8fcfb2c5a11cfda46c96a6c0e2d713c433bb
Microsoft Windows TOCTOU Local Privilege Escalation
Posted Sep 17, 2024
Authored by jheysel-r7, tykawaii98 | Site metasploit.com

CVE-2024-30088 is a Windows kernel elevation of privilege vulnerability which affects many recent versions of Windows 10, Windows 11 and Windows Server 2022. The vulnerability exists inside the function called AuthzBasepCopyoutInternalSecurityAttributes specifically when the kernel copies the _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION of the current token object to user mode. When the kernel performs the copy of the SecurityAttributesList, it sets up the list of the SecurityAttributes structure directly to the user supplied pointed. It then calls RtlCopyUnicodeString and AuthzBasepCopyoutInternalSecurityAttributeValues to copy out the names and values of the SecurityAttribute leading to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.

tags | exploit, kernel, vulnerability
systems | windows
advisories | CVE-2024-30038
SHA-256 | a4e521839032a10c16e91b79eb43b6f9620dcc27482be434b0d2b62d5ac92e66
CVE-2019-0708 BlueKeep Microsoft Remote Desktop Remote Code Execution Check
Posted Aug 31, 2024
Authored by Tom Sellers, zerosum0x0, JaGoTu, National Cyber Security Centre | Site metasploit.com

This Metasploit module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.

tags | exploit, denial of service
advisories | CVE-2019-0708
SHA-256 | 6a4a44bfa015ee1e424da3c229e217a013236f2eec5a985ec1f2d2bbef888f5f
CVE-2023-21554 QueueJumper - MSMQ Remote Code Execution Check
Posted Aug 31, 2024
Authored by Haifei Li, Wayne Low, Bastian Kanbach | Site metasploit.com

This Metasploit module checks the provided hosts for the CVE-2023-21554 vulnerability by sending a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that overflows the given buffer. On patched systems, the error is caught and no response is sent back. On vulnerable systems, the integer wraps around and depending on the length could cause an out-of-bounds write. In the context of this module a response is sent back, which indicates that the system is vulnerable.

tags | exploit, overflow
advisories | CVE-2023-21554
SHA-256 | a0cddadb1a675fdce4af377d71ed784a8906286c13da03dac1d38aa7dce5ef6b
SAP Solution Manager Remote Unauthorized OS Commands Execution
Posted Aug 31, 2024
Authored by Dmitry Chastuhin, Pablo Artuso, Vladimir Ivanov, Yvan Genuer | Site metasploit.com

This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.

tags | exploit, java, remote, web
advisories | CVE-2020-6207
SHA-256 | d3cd670695bc394e4f3ed861de2d7c717dac789ada16fbb0c7c9e1612d66ab86
SAP Unauthenticated WebService User Creation
Posted Aug 31, 2024
Authored by Spencer McIntyre, Dmitry Chastuhin, Pablo Artuso | Site metasploit.com

This Metasploit module leverages an unauthenticated web service to submit a job which will create a user with a specified role. The job involves running a wizard. After the necessary action is taken, the job is canceled to avoid unnecessary system changes.

tags | exploit, web
advisories | CVE-2020-6287
SHA-256 | 9d4da8f09f54ec6089b8460657fec4b370a7fd9f0d3af4a870972933d253c5aa
Active Directory Certificate Services (ADCS) Privilege Escalation (Certifried)
Posted Aug 31, 2024
Authored by Christophe de la Fuente, Erik Wynter, Oliver Lyak, CravateRouge | Site metasploit.com

This Metasploit module exploits a privilege escalation vulnerability in Active Directory Certificate Services (ADCS) to generate a valid certificate impersonating the Domain Controller (DC) computer account. This certificate is then used to authenticate to the target as the DC account using PKINIT preauthentication mechanism. The module will get and cache the Ticket-Granting-Ticket (TGT) for this account along with its NTLM hash. Finally, it requests a TGS impersonating a privileged user (Administrator by default). This TGS can then be used by other modules or external tools.

tags | exploit
advisories | CVE-2022-26923
SHA-256 | 4711426ef94613fcb75202051eeb6967ed730af89bad38174d480f454b5faee3
Netlogon Weak Cryptographic Authentication
Posted Aug 31, 2024
Authored by Spencer McIntyre, Tom Tervoort, Dirk-jan Mollema | Site metasploit.com

A vulnerability exists within the Netlogon authentication process where the security properties granted by AES are lost due to an implementation flaw related to the use of a static initialization vector (IV). An attacker can leverage this flaw to target an Active Directory Domain Controller and make repeated authentication attempts using NULL data fields which will succeed every 1 in 256 tries (~0.4%). This Metasploit module leverages the vulnerability to reset the machine account password to an empty string, which will then allow the attacker to authenticate as the machine account. After exploitation, its important to restore this password to its original value. Failure to do so can result in service instability.

tags | exploit
advisories | CVE-2020-1472
SHA-256 | 2e8cb0b33fee94cb76487f48c8612ae293bf93023140f19faf6766dfb2245f0e
Apache Tapestry HMAC secret key leak
Posted Aug 31, 2024
Authored by Johannes Moritz, Yann Castel | Site metasploit.com

This exploit finds the HMAC secret key used in Java serialization by Apache Tapestry. This key is located in the file AppModule.class by default and looks like the standard representation of UUID in hex digits (hd) : 6hd-4hd-4hd-4hd-12hd If the HMAC key has been changed to look differently, this module wont find the key because it tries to download the file and then uses a specific regex to find the key.

tags | exploit, java
advisories | CVE-2021-27850
SHA-256 | b1c7d62902e4bda90669843700bef91f0006f013f404b5ebf2f2d9ae7a80eaf5
Ubuntu Security Notice USN-6826-1
Posted Jun 12, 2024
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6826-1 - Karl von Randow discovered that mod_jk was vulnerable to an authentication bypass. If the configuration did not provide explicit mounts for all possible proxied requests, an attacker could possibly use this vulnerability to bypass security constraints configured in httpd.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2023-41081
SHA-256 | cf6017d31a48fcb0d18e99eff25ef34b45a6980db67fe71108a69071cda964a1
Red Hat Security Advisory 2024-2387-03
Posted Apr 30, 2024
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2024-2387-03 - An update for mod_jk and mod_proxy_cluster is now available for Red Hat Enterprise Linux 9. Issues addressed include cross site scripting and information leakage vulnerabilities.

tags | advisory, vulnerability, xss
systems | linux, redhat
advisories | CVE-2023-6710
SHA-256 | 1afbcf28960759dfb2bf1cd21470b1d259028ca98c06545215ea1561a67e4844
BoidCMS 2.0.0 Command Injection
Posted Mar 1, 2024
Authored by bwatters-r7, 1337kid | Site metasploit.com

This Metasploit module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS versions 2.0.0 and below. BoidCMS allows the authenticated upload of a php file as media if the file has the GIF header, even if the file is a php file.

tags | exploit, php
advisories | CVE-2023-38836
SHA-256 | 4be34ec34fdd2c459e03d46cbe61a319a411480ce0b82004ab5d83d8fcc669d1
Windows Common Log File System Driver (clfs.sys) Privilege Escalation
Posted Sep 14, 2023
Authored by Ricardo Narvaja, jheysel-r7, Esteban.kazimirow | Site metasploit.com

A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. This Metasploit module exploit makes use to two different kinds of specially crafted .blf files.

tags | exploit
systems | windows
advisories | CVE-2023-28252
SHA-256 | 9aa5ede2ea03c876775407f0098c013dfd3c503cc4ebb1ee7306284def339699
Oracle Weblogic PreAuth Remote Command Execution
Posted Jun 12, 2023
Authored by Grant Willcox, 4ra1n, 14m3ta7k | Site metasploit.com

Oracle Weblogic versions 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 prior to the Jan 2023 security update are vulnerable to an unauthenticated remote code execution vulnerability due to a post deserialization vulnerability. This Metasploit module exploits this vulnerability to trigger the JNDI connection to a LDAP server you control. The LDAP server will then respond with a remote reference response that points to a HTTP server that you control, where the malicious Java class file will be hosted. Oracle Weblogic will then make an HTTP request to retrieve the malicious Java class file, at which point our HTTP server will serve up the malicious class file and Oracle Weblogic will instantiate an instance of that class, granting us remote code execution as the oracle user.

tags | exploit, java, remote, web, code execution
advisories | CVE-2023-21839
SHA-256 | bf2f1b516a8dc0fb1cbfbd5fd5ff2f96c261f01313c61be63baa18eaf950b757
Chrome Renderer Type Confusion / Remote Code Execution
Posted Jun 11, 2023
Authored by Man Yue Mo, GitHub Security Lab

Proof of concept remote code execution exploit that demonstrates a vulnerability in the Chrome renderer sandbox by simply visiting a malicious website.

tags | exploit, remote, code execution, proof of concept
advisories | CVE-2022-1134
SHA-256 | 0bef9994895034465485b3ccc1c259c22c1bde140f7e3d288d935477095db1e7
Qualcomm Adreno GPU Information Leak
Posted Jun 11, 2023
Authored by Man Yue Mo, GitHub Security Lab

Proof of concept exploit for an information leak vulnerability in the Qualcomm Adreno GPU. The bug can be used to leak information in other user apps, as well as in the kernel from an untrusted app. The directory adreno_user contains a proof-of-concept for leaking memory from other applications. It will repeatedly trigger the bug and read the stale information contained in memory pages.

tags | exploit, kernel, proof of concept
advisories | CVE-2022-25664
SHA-256 | 14a7bc813fbfd5b0814582d935ba39c5649faf3bc3609e054c88db47e4159c41
Android Arm Mali GPU Arbitrary Code Execution
Posted Jun 11, 2023
Authored by Man Yue Mo, GitHub Security Lab

Proof of concept exploit for Android on Arm Mali GPU with a kernel driver bug that can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root. The exploit is tested on the Google Pixel 6 with the November 2022 and January 2023 patch.

tags | exploit, arbitrary, kernel, root, code execution, proof of concept
advisories | CVE-2022-46395
SHA-256 | 1c81e6cc4abcfe0ecb1417d1ee980963d887a2109472ab157bbd2c2fa62921ef
Android Arm Mali GPU Arbitrary Code Execution
Posted Jun 11, 2023
Authored by Man Yue Mo, GitHub Security Lab

Proof of concept exploit for the Arm Mali GPU that can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root. The exploit is tested on the Google Pixel 6. The original exploit that was sent to Google is included as hello-jni.c as a reference and was tested on the July 2022 patch of the Pixel 6. Due to the fact that Pixel 6 cannot be downgraded from Android 13 to Android 12, an updated version of the exploit, mali_shrinker_mmap.c is included, which supports various firmware in Android 13, including the December patch, which is the latest affected version.

tags | exploit, arbitrary, kernel, root, code execution, proof of concept
advisories | CVE-2022-38181
SHA-256 | bc50f9e9f9fe69b36613124dc79ca07e6c6523713f3c1192a6204b4ec7783f2c
Android Arm Mali GPU Arbitrary Code Execution
Posted Jun 11, 2023
Authored by Man Yue Mo, GitHub Security Lab

Proof of concept exploit for a memory corruption vulnerability in the Arm Mali GPU kernel driver that was reported in January of 2022. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root. The exploit is tested on the Google Pixel 6 and supports patch levels from November 2021 to February 2022. It is easy to add support for other firmware by changing a few image offsets.

tags | exploit, arbitrary, kernel, root, code execution, proof of concept
advisories | CVE-2022-20186
SHA-256 | 66eea2398301c881c76dc1359392bb4e7585bacb1998c8e4de619ba964588857
Ancillary Function Driver (AFD) For Winsock Privilege Escalation
Posted Mar 30, 2023
Authored by Christophe de la Fuente, b33f, Yarden Shafir, chompie | Site metasploit.com

A vulnerability exists in the Windows Ancillary Function Driver for Winsock (afd.sys) can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. Due to a flaw in AfdNotifyRemoveIoCompletion, it is possible to create an arbitrary kernel Write-Where primitive, which can be used to manipulate internal I/O ring structures and achieve local privilege escalation. This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in January 2023 updates).

tags | exploit, arbitrary, kernel, local
systems | windows
advisories | CVE-2023-21768
SHA-256 | d5a189a643f3c07d66a853b96018a65f135901780840ff23dc17f6a405330ebb
Lenovo Diagnostics Driver Memory Access
Posted Feb 3, 2023
Authored by jheysel-r7, alfarom256 | Site metasploit.com

This Metasploit module demonstrates how an incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory reads and writes.

tags | exploit, arbitrary
advisories | CVE-2022-3699
SHA-256 | 4d81e8f2ae72805082f511a1afa0427bff321c86d10fa56019672dac926e51f8
io_uring Same Type Object Reuse Privilege Escalation
Posted Feb 1, 2023
Authored by h00die, Mathias Krause, Ryota Shiga | Site metasploit.com

This Metasploit module exploits a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes. This exploit will spawn SUID programs to get the freed cred object reallocated by a privileged process and abuse them to create a SUID root binary that will pop a shell. The dangling cred pointer will, however, lead to a kernel panic as soon as the task terminates and its credentials are destroyed. We therefore detach from the controlling terminal, block all signals and rest in silence until the system shuts down and we get killed hard, just to cry in vain, seeing the kernel collapse. The bug affected kernels from v5.12-rc3 to v5.14-rc7. More than 1 CPU is required for exploitation. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.

tags | exploit, shell, kernel, root
systems | linux, ubuntu
advisories | CVE-2022-1043
SHA-256 | ddab5b3975fc82e2a23c5e4e05a57af4893abfbc613df02d507c1013c62dc088
Print Spooler Remote DLL Injection
Posted May 25, 2022
Authored by Christophe de la Fuente, Spencer McIntyre, Zhiniang Peng, cube0x0, Xuefeng Li, Zhang Yunhai, Piotr Madej, Zhipeng Huo | Site metasploit.com

The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.

tags | exploit, remote, code execution
advisories | CVE-2021-1675, CVE-2021-34527
SHA-256 | 1720ad267b345d6b91409cdb01c0ab129fc9f485ac71c4c4a816698bd6351239
Watch Queue Out-Of-Bounds Write
Posted Apr 21, 2022
Authored by Jann Horn, bwatters-r7, bonfee | Site metasploit.com

This Metasploit module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attempts occur, however this is unlikely.

tags | exploit, denial of service, kernel
systems | linux
advisories | CVE-2022-0995
SHA-256 | b59181d9b536ad31ebdc6b3f83985c65e49fbe3242468f7709e7bb7a2d4b1e5f
Windows User Profile Service Privlege Escalation
Posted Apr 11, 2022
Authored by Grant Willcox, KLINIX5 | Site metasploit.com

The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904.

systems | windows
advisories | CVE-2021-34484, CVE-2022-21919, CVE-2022-26904
SHA-256 | d30eae074af8b00dd694a057dd1c7a07694de0851d5e48da9ee462ed23d2a3ce
Page 1 of 4
Back1234Next

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close