A vulnerability in Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
cb133e8ec1ab0a1c2ef2e261014a4116110c288c8c180ccb796a35046f0cc70eThis Metasploit modules exploits the VMware Server Directory Traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.
bf4996e1f6f3d4417cdbcd16d228ae272229ab37892c242643b5db9693969a42This Metasploit module implements the DLSw information disclosure retrieval. There is a bug in Ciscos DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active.
8c127ae0566989988fb9b4c5ab25a9378faa865c70eef591a422e2cb3549b141This Metasploit module acts as a simple remote control for the Amazon Fire TVs YouTube app. Tested on the Amazon Fire TV Stick.
69fb41ab585fc6b28e37188b07a1a70fbaf2484bcbddc9b47819529c298b422eThis Metasploit modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based on the NDR stub information posted to openrce.org. Please see the action list for the different attack modes.
2138587ae325bae6523fe264b536da7ed9c42e45e7490c135d46a8a92061e574Netgears ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file download vulnerability that can be exploited by an authenticated remote attacker to download any file in the system. This Metasploit module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.
7b6ab6ffa9844979171a203a6fb43f5906cc96114b0f4b811979aee8938f1df6NFRAgent.exe in Novell File Reporter allows remote attackers to delete arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and CMD set to 5 against /FSF/CMD. This Metasploit module has been tested successfully on NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1) on Windows platforms.
198d2abf096644de1969b6367090e9dbb3f240f2e524d6275cb898f9346e60f2JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This Metasploit modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
e5fbbf205a52fd3db322ca559e03ddc183be3dbb1aecbc317c893104e8a8f598Some Linksys Routers are vulnerable to OS Command injection. You will need credentials to the web interface to access the vulnerable part of the application. Default credentials are always a good starting point. admin/admin or admin and blank password could be a first try. Note: This is a blind OS command injection vulnerability. This means that you will not see any output of your command. Try a ping command to your local system and observe the packets with tcpdump (or equivalent) for a first test. Hint: To get a remote shell you could upload a netcat binary and exec it. WARNING: this module will overwrite network and DHCP configuration.
c0a0294f6b84501bb7ca89228ea567596e04b04818d4997fb6266f71b440692bThis Metasploit module exploits an authentication bypass vulnerability in DIR 645 < v1.03. With this vulnerability you are able to extract the password for the remote management.
7fe8b8b74336f5dc7dd1fec74d9b8ce3315a1065aebd43f4c022aa9e9817bb7bThis Metasploit module exploits a SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress, which allows remote attackers to extract credentials via the size parameter to get_album_item.php.
2961b2a6386f280ff2a5c8a22286ae6b39869c94cfc164ff4f01d0e67ea4a838This Metasploit module exploits an improper access control vulnerability (CVE-2023-6329) in Control iD iDSecure less than or equal to v4.7.43.0. It allows an unauthenticated remote attacker to compute valid credentials and to add a new administrative user to the web interface of the product.
a6c6f27ff6d782d0a38702442098d51b3a489db908ce682fc3fde965ed920953This Metasploit module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes. Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0. This flaw can be used to read any file that the web server user account has access to view.
1d35e4826d1070372d0738e9a084efbbc13270ebd02c2ba618026825dfdceb07This Metasploit module exploits an authentication bypass vulnerability in different Netgear devices. It allows you to extract the password for the remote management interface.
6ec21b301158f8e8563ec1fe1e9c6b675e162a88cdc41ce6a56f70fa586ab250This Metasploit module exploits an authentication bypass vulnerability in D-Link DSL 320B less than or equal tov1.23. This vulnerability allows to extract the credentials for the remote management interface.
46b12d46c687aab16789fe43c6f1a2ff95ae781adbba6ee2c13bae048f23ea0cThis Metasploit module exploits an OS Command Injection vulnerability in some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in command.php, which is accessible without authentication. This Metasploit module has been tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. In order to get a remote shell the telnetd could be started without any authentication.
2f5b594e622d424820044978baa8b49d0949391ea6ea0829281922f271fa3004When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP. Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
f20ed46e990bc49e51e4df52537ec564d571907ef6c1bab6631f3044e0db35c8This Metasploit module exploits an unauthenticated remote file inclusion which exists in Supra Smart Cloud TV. The media control for the device doesnt have any session management or authentication. Leveraging this, an attacker on the local network can send a crafted request to broadcast a fake video.
4f628334a1d4a905d86ed3e418a091bc45e99144a8e83f1ac6d4d534bdfe0adfEMC AlphaStor Device Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
16c82c7d9b24fff50834652b907f881e0a62d98726b37cb9546e543b81d6e763EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.
4eb559b7eb5458576749ca66e28966f2da701297746ca34d82ff61294f0bd8dcThis Metasploit module acts as a simple remote control for Chromecast YouTube. Only the deprecated DIAL protocol is supported by this module. Casting via the newer CASTV2 protocol is unsupported at this time.
e6f2818d3d719fc25a77035d112d22c1dfffde0f01fb1cf301c6e9d8440457b4This Metasploit module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable SAP IGS server.
932e34005bd30cea82809ca431f5daa784d90fd6dfd7abe0f2359d6391625386This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.
d3cd670695bc394e4f3ed861de2d7c717dac789ada16fbb0c7c9e1612d66ab86This Metasploit module enables the execution of a single command as System by exploiting a remote code execution vulnerability in Ciscos WebEx client software.
ff7ba8eee04116c187733d871f1d2cdcba7bf879d893d5749316164a92cbcb78This Metasploit module tests for directory traversal vulnerability in the UpdateAgent function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM via dot dot sequences in an HTTP request.
f9f4a1cffb076eaa8de5b999f9dcbffa5aea4de87901e76b8a98aeaadfed7549
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed