This Metasploit module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem.
da49454c5f849f765142c42e065734b0088421d4e93444a769a657b11fdb04af
This Metasploit module exploits a directory traversal in Webmin 1.580. The vulnerability exists in the edit_html.cgi component and allows an authenticated user with access to the File Manager Module to access arbitrary files with root privileges. The module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.
6c0a9a2b80ec4a4d227511510ff034d0be1d1387d4299cbb7189ca3bd983eb19
DCNM exposes a servlet to download files on /fm/downloadServlet. An authenticated user can abuse this servlet to download arbitrary files as root by specifying the full path of the file. This Metasploit module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).
405b00bb4d79db5348b3c12e604b6e404da1f9cceecda00a4b54d45d591a379d
OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface. Although this attack requires authentication, there are several factors that increase the severity of this vulnerability. 1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty with the core of OpenNMS is that these components need to run as root to be able to bind to low-numbered ports or generate network traffic that requires root" 2. The user that you must authenticate as is the "rtc" user which has the default password of "rtc". There is no mention of this user in the installation guides found here: http://www.opennms.org/wiki/Tutorial_Installation, only mention that you should change the default admin password of "admin" for security purposes.
c6099e9d6a750b34bccb567d9f4440decbde3632bf1f69a1261d5cc97295170f
This Metasploit module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. Password hashes read from disk may be cracked, potentially resulting in administrator-level access to the target device. This vulnerability is tracked as CVE-2024-24919.
169aeb5edb0fd49f3f4c9c7b61035ba1bf84b48fbb9e4daff74aeca573f80047
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack that allows an attacker to read arbitrary files from the file system with the permissions of the root user.
c2dd082e06aac52186e44ae70fb12b7ad1fbfb73fa6e41171df28951ddedcfc6
This Metasploit module exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory via an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace. A binary search is performed to find the correct offset for the BOFs. Since the server forks, blind remote exploitation is possible, provided the heap does not have ASLR.
95c0e11fc546ab62299c2204c0f7af71c9e0fb6c816a661a92afe279a76f00e3
This Metasploit module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt masters ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhubs Docker image.
9922c0377155419e922dea1399b39d3294fb61f540d20cfa4ae9f6df4566e2ce
This Metasploit module exploits a local file inclusion in QNAP QTS and Photo Station that allows an unauthenticated attacker to download files from the QNAP filesystem. Because the HTTP server runs as root, it is possible to access sensitive files, such as SSH private keys and password hashes. This Metasploit module has been tested on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9.
70107b0adbe195b76131c10cdea4a24c8ea076a3a1b93c6596908a86f7bcd91a
This Metasploit module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without authentication. When attacker payloads are reflected in the servers responses, the payloads are evaluated. The primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
060ed45f18a940bd2cb20db82dafffe7261720b5012750515c313f3b78cd0cde
This Metasploit module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the "FTP Publishing" must be configured as "manual" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.
67404248bb76198423211333f1d01b1d47d12b762daf1e199c5e9619ec7c4de7
This Metasploit module abuses a buffer overflow vulnerability to trigger a Denial of Service of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability exists in the handling of malformed log packets, with an unexpected long level field. The root cause of the vulnerability is a combination of usage of uninitialized memory from the stack and a dangerous string copy. This module has been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50.
03774b1a237c005afb987ff03edf18054b3722e9c35aa6df34161c641470f53c
DiCal-RED version 4009 provides a Telnet service on TCP port 23. This service grants access to an interactive shell as the system's root user and does not require authentication.
a6385e494be7b4b70dba302642602595baa5c71833106dcef5c061db726846b5
During account assignment in the Talk2M platform, a Cosy+ device generates and sends a certificate signing request (CSR) to the back end. This CSR is then signed by the manufacturer and used for OpenVPN authentication by the device afterward. Since the common name (CN) of the certificate is specified by the device and used in order to assign the OpenVPN session to the corresponding Talk2M account, an attacker with root access to a Cosy+ device is able to manipulate the CSR and get correctly signed certificates for foreign devices.
25253b1bbb687aad196d1a68e6e0528bb19297042bab3325165b8dc98905aec7
The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The Ewon Cosy+ executes all tasks and services in the context of the user "root" and therefore with the highest system privileges. By compromising a single service, attackers automatically gain full system access.
1525ebcf929417e37f3bdac2dcdb956f29566f6bd680a2813d148269861150f9
There is an architectural and design issue in Microsoft's PlayReady which can be successfully exploited to gain access to license server by arbitrary clients. The problem has its origin in flat certificate namespace / reliance on a single root key in PlayReady along with no authentication at the license server end by default (deemed as no bug by Microsoft).
ed22257eef3a2135b2af77d7c2f00a9ce66b0b7c3b3aefd2205eb5140d64e5c9
Debian Linux Security Advisory 5739-1 - user able to escalate to the netdev group can load arbitrary shared object files in the context of the wpa_supplicant process running as root.
6e53b687a225ae7fa2fb59167de86aff9d4f52086ffaeb9f1997bea219751ff8
Ubuntu Security Notice 6945-1 - Rory McNamara discovered that wpa_supplicant could be made to load arbitrary shared objects by unprivileged users that have access to the control interface. An attacker could use this to escalate privileges to root.
a1469ccd1a0809d92167536b7c7b7a1f6ef54c467f544361227d99a25641d41b
OpenMediaVault allows an authenticated user to create cron jobs as root on the system. An attacker can abuse this by sending a POST request via rpc.php to schedule and execute a cron entry that runs arbitrary commands as root on the system. All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.
977b68b131bff0d949e6b913d2598f3af7e54c6447c2599729d421f769bac029
An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Authentication to the device is based on a username and password. The root credentials are the same across all devices of this model.
91634b6551f1c4552fd199be2e464137398cb4b429f2c78d26995a771a12cc5e
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. The device by default has a TELNET interface available (which is not advertised or functionally used, but is nevertheless available). Two backdoor accounts (root and default) exist that can be used on this interface. The usernames and passwords of the backdoor accounts are the same on all devices. Attackers can use these backdoor accounts to obtain access and execute code as root within the device.
657ac530d2693dc4d1d5836de1dbd822079a8d222c079df2445c9b8a2d90f78d
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A local attacker with the "default" account is capable of reading the /etc/passwd file, which contains a weakly hashed root password. By taking this hash and cracking it, the attacker can obtain root rights on the device.
0565814322a8c520d48233f4208f575674bdcaee0dd5d4f8a76504f93a015dd4
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. A command injection vulnerability resides in the HOST/IP section of the record settings menu in the webserver running on the device. By injecting Bash commands here, the device executes arbitrary code with root privileges (all of the device's services are running as root).
3633c78e948dbf68072a87d5a7c73a161e6a76ea536627422969fcefa860c12f
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. By sending a specific request to the webserver, it is possible to enable the telnet interface on the device. The telnet interface can then be used to obtain access to the device with root privileges and a default password. This default telnet password is the same across all Siime Eye devices. In order for the attack to be exploited, an attacker must be physically close in order to connect to the device's Wi-Fi access point.
08e3afef0573d78ea250b0dc91eeb7d27035e90e117728f39fe1c8ad35ae60f3
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. The password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased.
4402161040c1e257f4fb22e2ce24e8e5c24e4316ce14cf14d3fa43ec14ca967d