Twenty Year Anniversary
Showing 1 - 25 of 2,641 RSS Feed

Shell Files

Solaris RSH Stack Clash Privilege Escalation
Posted Oct 15, 2018
Authored by Brendan Coles, Qualys Security Advisory | Site

This Metasploit module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This Metasploit module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This Metasploit module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This Metasploit module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).

tags | exploit, shell, x86, root
systems | solaris
advisories | CVE-2017-1000364, CVE-2017-3629, CVE-2017-3630, CVE-2017-3631
MD5 | 91b277586c77a3c37e33c0ac990f0483
FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Hard-coded Credentials Shell Access
Posted Oct 15, 2018
Authored by LiquidWorm | Site

FLIR AX8 thermal sensor camera devices version 1.32.16 utilize hard-coded credentials within its Linux distribution image. These sets of credentials (SSH) are never exposed to the end-user and cannot be changed through any normal operation of the camera. Attacker could exploit this vulnerability by logging in using the default credentials for the web panel or gain shell access.

tags | exploit, web, shell
systems | linux
MD5 | 33ffa851ac663c1ab4b0b5c38033d8e6
HaPe PKH 1.1 Shell Upload
Posted Oct 12, 2018
Authored by Ihsan Sencan

HaPe PKH version 1.1 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
MD5 | 62c933b97b6893257443812754c390f4
VLC Media Player 2.2.8 MKV Use-After-Free
Posted Oct 11, 2018
Authored by Eugene NG, Winston Ho | Site

This Metasploit module exploits a use-after-free vulnerability in VideoLAN VLC versions 2.2.8 and below. The vulnerability exists in the parsing of MKV files and affects both 32 bits and 64 bits. In order to exploit this, this module will generate two files: The first .mkv file contains the main vulnerability and heap spray, the second .mkv file is required in order to take the vulnerable code path and should be placed under the same directory as the .mkv file. This Metasploit module has been tested against VLC v2.2.8. Tested with payloads windows/exec, windows/x64/exec, windows/shell/reverse_tcp, windows/x64/shell/reverse_tcp. Meterpreter payloads if used can cause the application to crash instead.

tags | exploit, shell
systems | windows
advisories | CVE-2018-11529
MD5 | 8a992cc20fa2660fbd011bbae7fa991c
Windows Net-NTLMv2 Reflection DCOM/RPC
Posted Oct 5, 2018
Authored by Mumbai, breenmachine, FoxGloveSec | Site

This Metasploit module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token.

tags | exploit, shell
advisories | CVE-2016-3225
MD5 | 1a7e8a734c23473ecf8326f09bd374aa
Debian Security Advisory 4291-1
Posted Sep 13, 2018
Authored by Debian | Site

Debian Linux Security Advisory 4291-1 - Two input sanitization failures have been found in the faxrunq and faxq binaries in mgetty, a smart modem getty replacement. An attacker could leverage them to insert commands via shell metacharacters in jobs id and have them executed with the privilege of the faxrunq/faxq user.

tags | advisory, shell
systems | linux, debian
advisories | CVE-2018-16741
MD5 | be0cb8e6db32850d296d214e389adee1
LW-N605R Remote Code Execution
Posted Sep 10, 2018
Authored by Nassim Asrir

LW-N605R devices allow remote code execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.

tags | exploit, remote, shell, code execution, asp
advisories | CVE-2018-16752
MD5 | 381dfb828206901640b7a36fed462414
OwlChat 2.0 Remote Shell Upload
Posted Sep 3, 2018
Authored by Hesam Bazvand

OwlChat version 2.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
MD5 | 05cb90d1713d9b920debded62e0cf99a
HP Jetdirect Path Traversal Arbitrary Code Execution
Posted Aug 27, 2018
Authored by Jacob Baines | Site

This Metasploit module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. A large amount of printers are impacted.

tags | exploit, arbitrary, shell, code execution
advisories | CVE-2017-2741
MD5 | 330fb84840e2b0a7602e2d3e4c2701b5
Ghostscript Command Execution / File Disclosure / Memory Corruption
Posted Aug 23, 2018
Authored by Tavis Ormandy, Google Security Research

Ghostscript suffers from file disclosure, shell command execution, memory corruption, and type confusion bugs.

tags | exploit, shell
MD5 | 1bbaaab44336f199ff5bab7ea5351935
Linux/x86 Reverse TCP (::FFFF: Shell Shellcode
Posted Aug 3, 2018
Authored by Kartik Durg

86 bytes small Linux/x86 reverse TCP (::FFFF: shell (/bin/sh) + null-free + IPv6 shellcode.

tags | shell, x86, tcp, shellcode
systems | linux
MD5 | 841854d50e743d5f6ad22336b8cda687
Linux/ARM Reverse Shell TCP/4444 Shellcode
Posted Aug 1, 2018
Authored by Ken Kitahara

116 bytes small Linux/ARM reverse shell ::1:4444/TCP with IPv6 shellcode.

tags | shell, tcp, shellcode
systems | linux
MD5 | b926864087396be941ee4f0a2ef16f49
SonicWall Global Management System XMLRPC
Posted Jul 31, 2018
Authored by kernelsmith, Michael Flanders | Site

This Metasploit module exploits a vulnerability in SonicWall Global Management System Virtual Appliance versions 8.1 (Build 8110.1197) and below. This virtual appliance can be downloaded from and is used 'in a holistic way to manage your entire network security environment.' These vulnerable versions (8.1 Build 8110.1197 and below) do not prevent unauthenticated, external entities from making XML-RPC requests to port 21009 of the virtual app. After the XML-RPC call is made, a shell script is called like so: ' --tz="`command injection here`"' --usentp="blah"'.

tags | exploit, web, shell
MD5 | 70c44d4d505bc2fcf508abeea31a28a9
Super CMS Blog Pro PHP Script 1.0 SQL Injection / Shell Upload
Posted Jul 27, 2018
Authored by ShanoWeb

Super CMS Blog Pro PHP Script version 1.0 suffers from shell upload and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, php, vulnerability, sql injection
MD5 | 4d4af76da07a9471a1cd3679240ce824
Microhard Systems 3G/4G Cellular Ethernet And Serial Gateway Backdoor Jailbreak
Posted Jul 16, 2018
Authored by LiquidWorm | Site

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway systems have a web shell application that includes a service called Microhard Sh that is documented only as 'reserved for internal use'. This service can be enabled by an authenticated user within the Services menu in the web admin panel. This can also be enabled via CSRF attack. When the service is enabled, a user 'msshc' is created on the system with password 'msshc' for SSH shell access on port 22. When connected, the user is dropped into a NcFTP jailed environment, that has limited commands for file transfer administration. One of the commands is a custom added 'ping' command that has a command injection vulnerability that allows the attacker to escape the restricted environment and enter into a root shell terminal that can execute commands as the root user. Many versions are affected.

tags | exploit, web, shell, root
MD5 | 3679d738983dec17aa3243aa408c3212
Microhard Systems 3G/4G Cellular Ethernet And Serial Gateway Arbitrary File Attacks
Posted Jul 16, 2018
Authored by LiquidWorm | Site

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway systems suffer from an issue where due to the hidden and undocumented File Editor (Filesystem Browser) shell script '' an attacker can leverage this issue to read, modify or delete arbitrary files on the system. Input passed thru the 'path' and 'savefile', 'edit' and 'delfile' GET and POST parameters is not properly sanitized before being used to modify files. This can be exploited by an authenticated attacker to read or modify arbitrary files on the affected system. Many versions are affected.

tags | exploit, arbitrary, shell
MD5 | c7aa24d69a51dbc46e0636cc8eb7baae
Linux x86_64 IPv6 Reverse Shell With Password Shellcode
Posted Jul 16, 2018
Authored by Hashim Jawad

Linux/x86_64 reverse shell (IPv6) shellcode with password.

tags | shell, shellcode
systems | linux
MD5 | dbd483d4db3276e5d473382e1fdcfc3a
Apache CouchDB Arbitrary Command Execution
Posted Jul 12, 2018
Authored by Max Justicz, Joan Touzet | Site

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

tags | exploit, web, arbitrary, shell
advisories | CVE-2017-12635, CVE-2017-12636
MD5 | 646205692a311200bb3f3d798f50c670
IBM QRadar SIEM Unauthenticated Remote Code Execution
Posted Jul 11, 2018
Authored by Pedro Ribeiro | Site

IBM QRadar SIEM has three vulnerabilities in the Forensics web application that when chained together allow an attacker to achieve unauthenticated remote code execution. The first stage bypasses authentication by fixating session cookies. The second stage uses those authenticated sessions cookies to write a file to disk and execute that file as the "nobody" user. The third and final stage occurs when the file executed as "nobody" writes an entry into the database that causes QRadar to execute a shell script controlled by the attacker as root within the next minute. Details about these vulnerabilities can be found in the advisories listed in References. The Forensics web application is disabled in QRadar Community Edition, but the code still works, so these vulnerabilities can be exploited in all flavors of QRadar. This Metasploit module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8 patch 12 and 7.3.1 patch 3 are vulnerable. Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload.

tags | exploit, remote, web, shell, root, vulnerability, code execution
advisories | CVE-2016-9722, CVE-2018-1418, CVE-2018-1612
MD5 | 221b05c8f4d9bb44521c8ebfe10f771d
Nagios XI Chained Remote Code Execution
Posted Jun 29, 2018
Authored by Benny Husted, Cale Smith, Jared Arave | Site

This Metasploit module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys. 3. The API keys are then used to add an administrative user. 4. An authenticated session is established with the newly added user 5. Command Injection on /nagiosxi/backend/index.php allows us to execute the payload with nopasswd sudo, giving us a root shell. 6. Remove the added admin user and reset the database user.

tags | exploit, remote, shell, root, php, vulnerability
advisories | CVE-2018-8733, CVE-2018-8734, CVE-2018-8735, CVE-2018-8736
MD5 | f275b1da0c15a7e7e5fae8036578d5d8
LaraChurch 1.0 Shell Upload
Posted Jun 24, 2018
Authored by ShanoWeb

LaraChurch Complete Church Management System version 1.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
MD5 | a7ae782a86b42876fe361349f6cdae3c
Red Hat Security Advisory 2018-1932-01
Posted Jun 20, 2018
Authored by Red Hat | Site

Red Hat Security Advisory 2018-1932-01 - The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell, but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions, a history mechanism, and more. Issues addressed include buffer overflow and code execution vulnerabilities.

tags | advisory, overflow, shell, vulnerability, code execution
systems | linux, redhat
advisories | CVE-2014-10072, CVE-2017-18206, CVE-2018-1083, CVE-2018-1100
MD5 | 7df45b65507cdbd916c317251f366d7a
glibc 'realpath()' Privilege Escalation
Posted Jun 12, 2018
Authored by halfdog, Brendan Coles | Site

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This Metasploit module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This Metasploit module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1.

tags | exploit, shell, root
systems | linux, debian, ubuntu
advisories | CVE-2018-1000001
MD5 | fdde72feb2388aee3f2e93395c3c6363
Windows UAC Protection Bypass (Via Slui File Handler Hijack)
Posted May 31, 2018
Authored by bytecode-77, gushmazuko | Site

This Metasploit module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under the Current User hive, and inserting a custom command that will get invoked when any binary (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking. When we run slui.exe with changed Registry key (HKCU:\Software\Classes\exefile\shell\open\command), it will run our custom command as Admin instead of slui.exe. The module modifies the registry in order for this exploit to work. The modification is reverted once the exploitation attempt has finished. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting the payload in a different process.

tags | exploit, shell, registry
systems | windows
MD5 | cbaf903a1f48babbbfdd55bd95607ccf
NUUO NVRmini2 / NVRsolo Shell Upload
Posted May 27, 2018
Authored by Xiaotian Wang

NUUO NVRmini2 and NVRsolo suffer from a remote shell upload vulnerability.

tags | exploit, remote, shell
MD5 | bdc03f1cb1c4e45f65f4b6a879ef92ce
Page 1 of 106

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    19 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By