exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 26 - 50 of 3,676 RSS Feed

Root Files

Samba Symlink Directory Traversal
Posted Aug 31, 2024
Authored by H D Moore, Kingcope | Site metasploit.com

This Metasploit module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem.

tags | exploit, root
advisories | CVE-2010-0926
SHA-256 | da49454c5f849f765142c42e065734b0088421d4e93444a769a657b11fdb04af
Webmin Edit_html.cgi File Parameter Traversal Arbitrary File Access
Posted Aug 31, 2024
Authored by juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a directory traversal in Webmin 1.580. The vulnerability exists in the edit_html.cgi component and allows an authenticated user with access to the File Manager Module to access arbitrary files with root privileges. The module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.

tags | exploit, arbitrary, cgi, root
systems | linux, ubuntu
advisories | CVE-2012-2983
SHA-256 | 6c0a9a2b80ec4a4d227511510ff034d0be1d1387d4299cbb7189ca3bd983eb19
Cisco Data Center Network Manager Unauthenticated File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

DCNM exposes a servlet to download files on /fm/downloadServlet. An authenticated user can abuse this servlet to download arbitrary files as root by specifying the full path of the file. This Metasploit module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2019-1619, CVE-2019-1621
SHA-256 | 405b00bb4d79db5348b3c12e604b6e404da1f9cceecda00a4b54d45d591a379d
OpenNMS Authenticated XXE
Posted Aug 31, 2024
Authored by Justin Kennedy, Stephen Breen | Site metasploit.com

OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface. Although this attack requires authentication, there are several factors that increase the severity of this vulnerability. 1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty with the core of OpenNMS is that these components need to run as root to be able to bind to low-numbered ports or generate network traffic that requires root" 2. The user that you must authenticate as is the "rtc" user which has the default password of "rtc". There is no mention of this user in the installation guides found here: http://www.opennms.org/wiki/Tutorial_Installation, only mention that you should change the default admin password of "admin" for security purposes.

tags | exploit, web, root
advisories | CVE-2015-0975
SHA-256 | c6099e9d6a750b34bccb567d9f4440decbde3632bf1f69a1261d5cc97295170f
Check Point Security Gateway Arbitrary File Read
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. Password hashes read from disk may be cracked, potentially resulting in administrator-level access to the target device. This vulnerability is tracked as CVE-2024-24919.

tags | exploit, arbitrary, local, root
SHA-256 | 169aeb5edb0fd49f3f4c9c7b61035ba1bf84b48fbb9e4daff74aeca573f80047
EMC CTA 10.0 Unauthenticated XXE Arbitrary File Read
Posted Aug 31, 2024
Authored by Brandon Perry | Site metasploit.com

EMC CTA v10.0 is susceptible to an unauthenticated XXE attack that allows an attacker to read arbitrary files from the file system with the permissions of the root user.

tags | exploit, arbitrary, root
advisories | CVE-2014-0644
SHA-256 | c2dd082e06aac52186e44ae70fb12b7ad1fbfb73fa6e41171df28951ddedcfc6
QNAP NAS/NVR Administrator Hash Disclosure
Posted Aug 31, 2024
Authored by bashis, wvu, Donald Knuth | Site metasploit.com

This Metasploit module exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory via an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace. A binary search is performed to find the correct offset for the BOFs. Since the server forks, blind remote exploitation is possible, provided the heap does not have ASLR.

tags | exploit, remote, web, overflow, root
SHA-256 | 95c0e11fc546ab62299c2204c0f7af71c9e0fb6c816a661a92afe279a76f00e3
SaltStack Salt Master Server Root Key Disclosure
Posted Aug 31, 2024
Authored by wvu, F-Secure | Site metasploit.com

This Metasploit module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt masters ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhubs Docker image.

tags | exploit, root, vulnerability
systems | cisco, linux, ubuntu
advisories | CVE-2020-11651, CVE-2020-11652
SHA-256 | 9922c0377155419e922dea1399b39d3294fb61f540d20cfa4ae9f6df4566e2ce
QNAP QTS and Photo Station Local File Inclusion
Posted Aug 31, 2024
Authored by Henry Huang, Redouane Niboucha | Site metasploit.com

This Metasploit module exploits a local file inclusion in QNAP QTS and Photo Station that allows an unauthenticated attacker to download files from the QNAP filesystem. Because the HTTP server runs as root, it is possible to access sensitive files, such as SSH private keys and password hashes. This Metasploit module has been tested on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9.

tags | exploit, web, local, root, file inclusion
advisories | CVE-2019-7192, CVE-2019-7194, CVE-2019-7195
SHA-256 | 70107b0adbe195b76131c10cdea4a24c8ea076a3a1b93c6596908a86f7bcd91a
CrushFTP Unauthenticated Arbitrary File Read
Posted Aug 31, 2024
Authored by remmons-r7 | Site metasploit.com

This Metasploit module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without authentication. When attacker payloads are reflected in the servers responses, the payloads are evaluated. The primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).

tags | exploit, remote, web, arbitrary, root, code execution
systems | windows
advisories | CVE-2024-4040
SHA-256 | 060ed45f18a940bd2cb20db82dafffe7261720b5012750515c313f3b78cd0cde
Microsoft IIS FTP Server LIST Stack Exhaustion
Posted Aug 31, 2024
Authored by Kingcope, Myo Soe | Site metasploit.com

This Metasploit module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the "FTP Publishing" must be configured as "manual" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.

tags | exploit, denial of service, root
advisories | CVE-2009-2521
SHA-256 | 67404248bb76198423211333f1d01b1d47d12b762daf1e199c5e9619ec7c4de7
Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow
Posted Aug 31, 2024
Authored by juan vazquez, Julian Vilas | Site metasploit.com

This Metasploit module abuses a buffer overflow vulnerability to trigger a Denial of Service of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability exists in the handling of malformed log packets, with an unexpected long level field. The root cause of the vulnerability is a combination of usage of uninitialized memory from the stack and a dangerous string copy. This module has been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50.

tags | exploit, denial of service, overflow, root
advisories | CVE-2014-0781
SHA-256 | 03774b1a237c005afb987ff03edf18054b3722e9c35aa6df34161c641470f53c
DiCal-RED 4009 Missing Authentication
Posted Aug 23, 2024
Authored by Sebastian Hamann | Site syss.de

DiCal-RED version 4009 provides a Telnet service on TCP port 23. This service grants access to an interactive shell as the system's root user and does not require authentication.

tags | exploit, shell, root, tcp
advisories | CVE-2024-36445
SHA-256 | a6385e494be7b4b70dba302642602595baa5c71833106dcef5c061db726846b5
Ewon Cosy+ / Talk2M Remote Access Solution Improper Authentication
Posted Aug 19, 2024
Authored by Moritz Abrell | Site syss.de

During account assignment in the Talk2M platform, a Cosy+ device generates and sends a certificate signing request (CSR) to the back end. This CSR is then signed by the manufacturer and used for OpenVPN authentication by the device afterward. Since the common name (CN) of the certificate is specified by the device and used in order to assign the OpenVPN session to the corresponding Talk2M account, an attacker with root access to a Cosy+ device is able to manipulate the CSR and get correctly signed certificates for foreign devices.

tags | exploit, root
advisories | CVE-2024-33897
SHA-256 | 25253b1bbb687aad196d1a68e6e0528bb19297042bab3325165b8dc98905aec7
Ewon Cosy+ Excessive Access
Posted Aug 19, 2024
Authored by Moritz Abrell | Site syss.de

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The Ewon Cosy+ executes all tasks and services in the context of the user "root" and therefore with the highest system privileges. By compromising a single service, attackers automatically gain full system access.

tags | advisory, remote, root
advisories | CVE-2024-33894
SHA-256 | 1525ebcf929417e37f3bdac2dcdb956f29566f6bd680a2813d148269861150f9
Microsoft PlayReady Design Issue
Posted Aug 13, 2024
Authored by Adam Gowdiak | Site security-explorations.com

There is an architectural and design issue in Microsoft's PlayReady which can be successfully exploited to gain access to license server by arbitrary clients. The problem has its origin in flat certificate namespace / reliance on a single root key in PlayReady along with no authentication at the license server end by default (deemed as no bug by Microsoft).

tags | advisory, arbitrary, root
SHA-256 | ed22257eef3a2135b2af77d7c2f00a9ce66b0b7c3b3aefd2205eb5140d64e5c9
Debian Security Advisory 5739-1
Posted Aug 7, 2024
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5739-1 - user able to escalate to the netdev group can load arbitrary shared object files in the context of the wpa_supplicant process running as root.

tags | advisory, arbitrary, root
systems | linux, debian
advisories | CVE-2024-5290
SHA-256 | 6e53b687a225ae7fa2fb59167de86aff9d4f52086ffaeb9f1997bea219751ff8
Ubuntu Security Notice USN-6945-1
Posted Aug 7, 2024
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6945-1 - Rory McNamara discovered that wpa_supplicant could be made to load arbitrary shared objects by unprivileged users that have access to the control interface. An attacker could use this to escalate privileges to root.

tags | advisory, arbitrary, root
systems | linux, ubuntu
advisories | CVE-2024-5290
SHA-256 | a1469ccd1a0809d92167536b7c7b7a1f6ef54c467f544361227d99a25641d41b
OpenMediaVault rpc.php Authenticated Cron Remote Code Execution
Posted Jul 31, 2024
Authored by Brandon Perry, h00die-gr3y | Site metasploit.com

OpenMediaVault allows an authenticated user to create cron jobs as root on the system. An attacker can abuse this by sending a POST request via rpc.php to schedule and execute a cron entry that runs arbitrary commands as root on the system. All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.

tags | exploit, arbitrary, root, php
advisories | CVE-2013-3632
SHA-256 | 977b68b131bff0d949e6b913d2598f3af7e54c6447c2599729d421f769bac029
Luvion Grand Elite 3 Connect Default Root Credentials
Posted Jul 30, 2024
Authored by Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman

An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Authentication to the device is based on a username and password. The root credentials are the same across all devices of this model.

tags | advisory, root
advisories | CVE-2020-11925
SHA-256 | 91634b6551f1c4552fd199be2e464137398cb4b429f2c78d26995a771a12cc5e
Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 Backdoor Accounts
Posted Jul 30, 2024
Authored by Willem Westerhof, Jasper Nota, Martijn Baalman

An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. The device by default has a TELNET interface available (which is not advertised or functionally used, but is nevertheless available). Two backdoor accounts (root and default) exist that can be used on this interface. The usernames and passwords of the backdoor accounts are the same on all devices. Attackers can use these backdoor accounts to obtain access and execute code as root within the device.

tags | advisory, root
advisories | CVE-2019-20467
SHA-256 | 657ac530d2693dc4d1d5836de1dbd822079a8d222c079df2445c9b8a2d90f78d
Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 Weak Hashing / Disclosure
Posted Jul 30, 2024
Authored by Willem Westerhof, Jasper Nota, Martijn Baalman

An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A local attacker with the "default" account is capable of reading the /etc/passwd file, which contains a weakly hashed root password. By taking this hash and cracking it, the attacker can obtain root rights on the device.

tags | advisory, local, root, info disclosure
advisories | CVE-2019-20466
SHA-256 | 0565814322a8c520d48233f4208f575674bdcaee0dd5d4f8a76504f93a015dd4
Siime Eye 14.1.00000001.3.330.0.0.3.14 Command Injection
Posted Jul 30, 2024
Authored by Edwin Gozeling, Willem Westerhof, Jasper Nota

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. A command injection vulnerability resides in the HOST/IP section of the record settings menu in the webserver running on the device. By injecting Bash commands here, the device executes arbitrary code with root privileges (all of the device's services are running as root).

tags | advisory, arbitrary, root, bash
advisories | CVE-2020-11920
SHA-256 | 3633c78e948dbf68072a87d5a7c73a161e6a76ea536627422969fcefa860c12f
Siime Eye 14.1.00000001.3.330.0.0.3.14 Incorrect Access Control
Posted Jul 30, 2024
Authored by Edwin Gozeling, Willem Westerhof, Jasper Nota | Site pentestpartners.com

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. By sending a specific request to the webserver, it is possible to enable the telnet interface on the device. The telnet interface can then be used to obtain access to the device with root privileges and a default password. This default telnet password is the same across all Siime Eye devices. In order for the attack to be exploited, an attacker must be physically close in order to connect to the device's Wi-Fi access point.

tags | advisory, root
advisories | CVE-2020-11915
SHA-256 | 08e3afef0573d78ea250b0dc91eeb7d27035e90e117728f39fe1c8ad35ae60f3
Siime Eye 14.1.00000001.3.330.0.0.3.14 Weak Hashing
Posted Jul 30, 2024
Authored by Edwin Gozeling, Willem Westerhof, Jasper Nota

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. The password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased.

tags | advisory, root
advisories | CVE-2020-11916
SHA-256 | 4402161040c1e257f4fb22e2ce24e8e5c24e4316ce14cf14d3fa43ec14ca967d
Page 2 of 147
Back12345Next

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close