40% done
h00die
parent
bd7ea1f90d
commit
a40429158f
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
This module can be used to determine differences
|
||||
in the cache entries between two DNS servers. This is
|
||||
primarily useful for detecting cache poisoning attacks,
|
||||
but can also be used to detect geo-location loadbalancing.
|
||||
but can also be used to detect geo-location load balancing.
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION',
|
||||
'Description' => %q{
|
||||
This module will escalate a Oracle DB user to DBA by exploiting an sql injection
|
||||
This module will escalate an Oracle DB user to DBA by exploiting a sql injection
|
||||
bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function.
|
||||
This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and
|
||||
10g up to 10.1.0.4.
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION',
|
||||
'Description' => %q{
|
||||
This module will escalate a Oracle DB user to DBA by exploiting an
|
||||
This module will escalate an Oracle DB user to DBA by exploiting a
|
||||
sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package.
|
||||
|
||||
Note: This module has been tested against 9i, 10gR1 and 10gR2.
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML',
|
||||
'Description' => %q{
|
||||
This module will escalate a Oracle DB user to DBA by exploiting an sql injection
|
||||
This module will escalate an Oracle DB user to DBA by exploiting a sql injection
|
||||
bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML',
|
||||
'Description' => %q{
|
||||
This module will escalate a Oracle DB user to DBA by exploiting an sql injection
|
||||
This module will escalate an Oracle DB user to DBA by exploiting a sql injection
|
||||
bug in the SYS.DBMS_METADATA.GET_XML package/function.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger',
|
||||
'Description' => %q{
|
||||
This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in
|
||||
This module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in
|
||||
the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege
|
||||
given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
|
||||
},
|
||||
|
|
|
|||
|
|
@ -10,8 +10,8 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method',
|
||||
'Description' => %q{
|
||||
This module will escalate a Oracle DB user to DBA by exploiting
|
||||
an sql injection bug in the SYS.LT.FINDRICSET package via Evil
|
||||
This module will escalate an Oracle DB user to DBA by exploiting
|
||||
a sql injection bug in the SYS.LT.FINDRICSET package via Evil
|
||||
Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on
|
||||
thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical
|
||||
Patch update October 2007.
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE',
|
||||
'Description' => %q{
|
||||
This module exploits an sql injection flaw in the MERGEWORKSPACE
|
||||
This module exploits a sql injection flaw in the MERGEWORKSPACE
|
||||
procedure of the PL/SQL package SYS.LT. Any user with execute
|
||||
privilege on the vulnerable package can exploit this vulnerability.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE',
|
||||
'Description' => %q{
|
||||
This module exploits an sql injection flaw in the REMOVEWORKSPACE
|
||||
This module exploits a sql injection flaw in the REMOVEWORKSPACE
|
||||
procedure of the PL/SQL package SYS.LT. Any user with execute
|
||||
privilege on the vulnerable package can exploit this vulnerability.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE',
|
||||
'Description' => %q{
|
||||
This module exploits an sql injection flaw in the ROLLBACKWORKSPACE
|
||||
This module exploits a sql injection flaw in the ROLLBACKWORKSPACE
|
||||
procedure of the PL/SQL package SYS.LT. Any user with execute
|
||||
privilege on the vulnerable package can exploit this vulnerability.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
|
||||
(CDM), before version 10, doesn't implement access control properly, which allows remote
|
||||
attackers to modify user information. This module exploits the vulnerability to make
|
||||
unauthorized speeddial entity manipulations.
|
||||
unauthorized speed dial entity manipulations.
|
||||
},
|
||||
'Author' => 'fozavci',
|
||||
'References' =>
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
super(
|
||||
'Name' => 'SIP Deregister Extension',
|
||||
'Description' => %q{
|
||||
This module will will attempt to deregister a SIP user from the provider. It
|
||||
This module will attempt to deregister a SIP user from the provider. It
|
||||
has been tested successfully when the sip provider/server doesn't use REGISTER
|
||||
authentication.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -21,9 +21,9 @@ class MetasploitModule < Msf::Encoder
|
|||
'Name' => 'printf(1) via PHP magic_quotes Utility Command Encoder',
|
||||
'Description' => %q{
|
||||
This encoder uses the printf(1) utility to avoid restricted
|
||||
characters. Some shell variable substituion may also be used
|
||||
characters. Some shell variable substitution may also be used
|
||||
if needed symbols are blacklisted. Some characters are intentionally
|
||||
left unescaped since it is assummed that PHP with magic_quotes_gpc
|
||||
left unescaped since it is assumed that PHP with magic_quotes_gpc
|
||||
enabled will escape them during request handling.
|
||||
},
|
||||
'Author' => 'jduck',
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "Android Stagefright MP4 tx3g Integer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a integer overflow vulnerability in the Stagefright
|
||||
This module exploits an integer overflow vulnerability in the Stagefright
|
||||
Library (libstagefright.so). The vulnerability occurs when parsing specially
|
||||
crafted MP4 files. While a wide variety of remote attack vectors exist, this
|
||||
particular exploit is designed to work within an HTML5 compliant browser.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit",
|
||||
'Description' => %q{
|
||||
This module exploits a bug in futex_requeue in the Linux kernel, using
|
||||
similiar techniques employed by the towelroot exploit. Any Android device
|
||||
similar techniques employed by the towelroot exploit. Any Android device
|
||||
with a kernel built before June 2014 is likely to be vulnerable.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This exploit connects to a system's modem over dialup and exploits
|
||||
a buffer overlflow vulnerability in it's System V derived /bin/login.
|
||||
a buffer overflow vulnerability in it's System V derived /bin/login.
|
||||
The vulnerability is triggered by providing a large number of arguments.
|
||||
},
|
||||
'References' =>
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in Adobe Flash Player for Linux,
|
||||
version 10.0.12.36 and 9.0.151.0 and prior.
|
||||
version 10.0.12.36 and 9.0.151.0 and prior.
|
||||
An input validation vulnerability allows command execution when the browser
|
||||
loads a SWF file which contains shell metacharacters in the arguments to
|
||||
the ActionScript launch method.
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Although SSP significantly reduces the probability of a single attempt
|
||||
succeeding, it will not prevent exploitation. Since the daemon forks in a
|
||||
default configuration, the cookie value will remain the same despite
|
||||
some attemtps failing. By making repeated requests, an attacker can eventually
|
||||
some attempts failing. By making repeated requests, an attacker can eventually
|
||||
guess the cookie value and exploit the vulnerability.
|
||||
|
||||
The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
|
||||
handles external environment variables. This module targets the 'ping.sh' CGI
|
||||
script, acessible through the Boa web server on Advantech switches. This module
|
||||
script, accessible through the Boa web server on Advantech switches. This module
|
||||
was tested against firmware version 1322_D1.98.
|
||||
},
|
||||
'Author' => 'hdm',
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise
|
||||
Communication Server 7.1 and earlier. The Unified Maintenance Tool
|
||||
contains a 'masterCGI' binary which allows an unauthenticated attacker
|
||||
to execute arbitrary commands by specifing shell metacharaters as the
|
||||
to execute arbitrary commands by specifying shell metacharaters as the
|
||||
'user' within the 'ping' action to obtain 'httpd' user access. This
|
||||
module only supports command line payloads, as the httpd process kills
|
||||
the reverse/bind shell spawn after the HTTP 200 OK response.
|
||||
|
|
|
|||
|
|
@ -13,13 +13,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "AlienVault OSSIM/USM Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together.
|
||||
This module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together.
|
||||
Unauthenticated users can execute arbitrary commands under the context of the root user.
|
||||
|
||||
By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
|
||||
which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
|
||||
action and policy that enables to execute operating system commands by using captured session token. As a final step,
|
||||
SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes
|
||||
SSH login attempt with an invalid credentials can trigger a created rogue policy which triggers an action that executes
|
||||
operating system command with root user privileges.
|
||||
|
||||
This module was tested against following product and versions:
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is
|
||||
used by the application without input validation and parameter binding, which leads to SQL injection
|
||||
vulnerability. Successfully exploitating this vulnerability gives a the valid session.
|
||||
vulnerability. Successfully exploiting this vulnerability gives a valid session.
|
||||
|
||||
CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not
|
||||
possible to access this endpoint without having a valid session. One user parameter is used by the
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
in the '/etc/cron.d/' path of the host server.
|
||||
|
||||
*Notes: The docker image must be a valid docker image from
|
||||
hub.docker.com. Further more the docker container will only
|
||||
hub.docker.com. Furthermore the docker container will only
|
||||
deploy if there are resources available in the DC/OS cluster.
|
||||
},
|
||||
'Author' => 'Erik Daguerre',
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'D-Link authentication.cgi Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits an remote buffer overflow vulnerability on several D-Link routers.
|
||||
This module exploits a remote buffer overflow vulnerability on several D-Link routers.
|
||||
The vulnerability exists in the handling of HTTP queries to the authentication.cgi with
|
||||
long password values. The vulnerability can be exploitable without authentication. This
|
||||
module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'D-Link info.cgi POST Request Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits an anonymous remote code execution vulnerability on different D-Link
|
||||
devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component,
|
||||
devices. The vulnerability is a stack based buffer overflow in the my_cgi.cgi component,
|
||||
when handling specially crafted POST HTTP requests addresses to the /common/info.cgi
|
||||
handler. This module has been successfully tested on D-Link DSP-W215 in an emulated
|
||||
environment.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'D-Link HNAP Request Remote Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits an anonymous remote code execution vulnerability on different
|
||||
D-Link devices. The vulnerability is due to an stack based buffer overflow while
|
||||
D-Link devices. The vulnerability is due to a stack based buffer overflow while
|
||||
handling malicious HTTP POST requests addressed to the HNAP handler. This module
|
||||
has been successfully tested on D-Link DIR-505 in an emulated environment.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Gitlist Unauthenticated Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an unauthenticated remote command execution vulnerability
|
||||
in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
|
||||
in version 0.4.0 of Gitlist. The problem exists in the handling of a specially
|
||||
crafted file name when trying to blame it.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.
|
||||
According to iDefense who discovered this vulnerability, all WRT54G versions prior to
|
||||
4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.
|
||||
4.20.7 and all WRT54GS version prior to 1.05.2 may be affected.
|
||||
},
|
||||
'Author' => [ 'Raphael Rigo <devel-metasploit[at]syscall.eu>', 'Julien Tinnes <julien[at]cr0.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
their web interface where default credentials are admin/admin or admin/password.
|
||||
Since it is a blind OS command injection vulnerability, there is no output for the
|
||||
executed command when using the cmd generic payload. This module has been tested on
|
||||
a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a
|
||||
a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a
|
||||
controlled system could be used for testing purposes. The exploit uses the tftp
|
||||
client from the device to stage to native payloads from the command injection.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Logsign Remote Command Injection',
|
||||
'Description' => %q{
|
||||
This module exploits an command injection vulnerability in Logsign.
|
||||
This module exploits a command injection vulnerability in Logsign.
|
||||
By exploiting this vulnerability, unauthenticated users can execute
|
||||
arbitrary code under the root user.
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => '
|
||||
This module exploits a remote file include vulnerability in Railo,
|
||||
tested against version 4.2.1. First, a call using a vulnerable
|
||||
<cffile> line in thumbnail.cfm allows an atacker to download an
|
||||
<cffile> line in thumbnail.cfm allows an attacker to download an
|
||||
arbitrary PNG file. By appending a .cfm, and taking advantage of
|
||||
a directory traversal, an attacker can append cold fusion markup
|
||||
to the PNG file, and have it interpreted by the server. This is
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module takes advantage of two vulnerabilities in order to gain remote code execution as root
|
||||
as an otherwise non-privileged authorized user. By taking advantage of a mass assignment
|
||||
vulnerability that allows an unprivileged authenticated user to change the admininistrator's
|
||||
vulnerability that allows an unprivileged authenticated user to change the administrator's
|
||||
password hash, the module updates the password to login as the admin to reach the second vulnerability.
|
||||
No server-side sanitization is done on values passed when configuring a static network interface.
|
||||
This allows an administrator user to run arbitrary commands in the context of the web application,
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
terminal command under the context of the web server user which is root.
|
||||
|
||||
backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing
|
||||
operating system command. One of the user input is being passed to the service without proper validation. That cause an command
|
||||
operating system command. One of the user input is being passed to the service without proper validation. That cause a command
|
||||
injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal
|
||||
command. Thus, you need to configure your own SSH service and set the required parameter during module usage.
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
saveCert.imss endpoint takes several user inputs and performs blacklisting.
|
||||
After that it use them as argument of predefined operating system command
|
||||
without proper sanitation. However,due to improper blacklisting rule it's possible to inject
|
||||
without proper sanitation. However, due to improper blacklisting rule it's possible to inject
|
||||
arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
|
||||
|
||||
This module was tested against IMSVA 9.1-1600.
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection',
|
||||
'Description' => %q{
|
||||
TrueOnline is a major ISP in Thailand, and it distributes a customised version of
|
||||
the Billion 5200W-T router. This customised version has at least two command injection
|
||||
TrueOnline is a major ISP in Thailand, and it distributes a customized version of
|
||||
the Billion 5200W-T router. This customized version has at least two command injection
|
||||
vulnerabilities, one authenticated and one unauthenticated, on different firmware versions.
|
||||
This module will attempt to exploit the unauthenticated injection first, and if that fails,
|
||||
it will attempt to exploit the authenticated injection.
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection',
|
||||
'Description' => %q{
|
||||
TrueOnline is a major ISP in Thailand, and it distributes a customised version of
|
||||
the ZyXEL P660HN-T v1 router. This customised version has an unauthenticated command
|
||||
TrueOnline is a major ISP in Thailand, and it distributes a customized version of
|
||||
the ZyXEL P660HN-T v1 router. This customized version has an unauthenticated command
|
||||
injection vulnerability in the remote log forwarding page.
|
||||
This module was tested in an emulated environment, as the author doesn't have access to the
|
||||
Thai router any more. Any feedback should be sent directly to the module's author, as well as
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'TrueOnline / ZyXEL P660HN-T v2 Router Authenticated Command Injection',
|
||||
'Description' => %q{
|
||||
TrueOnline is a major ISP in Thailand, and it distributes a customised version of
|
||||
the ZyXEL P660HN-T v2 router. This customised version has an authenticated command injection
|
||||
TrueOnline is a major ISP in Thailand, and it distributes a customized version of
|
||||
the ZyXEL P660HN-T v2 router. This customized version has an authenticated command injection
|
||||
vulnerability in the remote log forwarding page. This can be exploited using the "supervisor"
|
||||
account that comes with a default password on the device.
|
||||
This module was tested in an emulated environment, as the author doesn't have access to the
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",
|
||||
'Description' => %q{
|
||||
This modules exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or
|
||||
This module exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or
|
||||
less. If not removed, the settings.php script meant for installation can be
|
||||
update by an attacker, and then inject code in it. This allows arbitrary code
|
||||
execution as www-data.
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
when it is entered for unlocking the screen or for doing administrative actions using
|
||||
PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password.
|
||||
It exploits the design weakness that there is no trusted channel for transferring the
|
||||
password from the keyboard to the actual password verificatition against the shadow file
|
||||
password from the keyboard to the actual password verification against the shadow file
|
||||
(which is running as root since /etc/shadow is only readable to the root user). Both
|
||||
screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under
|
||||
the current user account to query for the password and then pass it to a setuid-root binary
|
||||
|
|
|
|||
|
|
@ -14,13 +14,13 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
super(update_info(info,
|
||||
'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently
|
||||
This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently
|
||||
only works against Ubuntu 16.04 (not 16.04.1) with kernel
|
||||
4.4.0-21-generic.
|
||||
Several conditions have to be met for successful exploitation:
|
||||
Ubuntu:
|
||||
1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)
|
||||
2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile
|
||||
2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile
|
||||
Kernel 4.4.0-31-generic and newer are not vulnerable.
|
||||
|
||||
We write the ascii files and compile on target instead of locally since metasm bombs for not
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'Description' => %q{
|
||||
The Linux kernel failed to properly initialize some entries the
|
||||
proto_ops struct for several protocols, leading to NULL being
|
||||
derefenced and used as a function pointer. By using mmap(2) to map
|
||||
dereferenced and used as a function pointer. By using mmap(2) to map
|
||||
page 0, an attacker can execute arbitrary code in the context of the
|
||||
kernel.
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'OpenNMS Java Object Unserialization Remote Code Execution',
|
||||
'Description' => %q(
|
||||
This module exploits a vulnerability in the OpenNMS Java object which allows
|
||||
an unauthenticated attacker to run arbitary code against the system.
|
||||
an unauthenticated attacker to run arbitrary code against the system.
|
||||
),
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
On some default Linux installations of PostgreSQL, the
|
||||
postgres service account may write to the /tmp directory, and
|
||||
may source UDF Shared Libraries's from there as well, allowing
|
||||
may source UDF Shared Libraries' from there as well, allowing
|
||||
execution of arbitrary code.
|
||||
|
||||
This module compiles a Linux shared object file, uploads it to
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module triggers a heap overflow in the LSA RPC service
|
||||
of the Samba daemon. This module uses the TALLOC chunk overwrite
|
||||
method (credit Ramon and Adriano), which only works with Samba
|
||||
versions 3.0.21-3.0.24. Additonally, this module will not work
|
||||
versions 3.0.21-3.0.24. Additionally, this module will not work
|
||||
when the Samba "log level" parameter is higher than "2".
|
||||
},
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Exim and Dovecot Insecure Configuration Command Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a command injection vulnerability against Dovecot with
|
||||
Exim using the "use_shell" option. It uses the sender's address to inject arbitary
|
||||
Exim using the "use_shell" option. It uses the sender's address to inject arbitrary
|
||||
commands, since this is one of the user-controlled variables. It has been
|
||||
successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common
|
||||
packages.
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Windows Vista SP2 + Firefox 39.0 and Flash 18.0.0.203,
|
||||
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,
|
||||
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
|
||||
Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203,
|
||||
Windows 7 SP1 (32-bit), IE9 and Adobe Flash 18.0.0.203,
|
||||
Windows 7 SP1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
|
||||
Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
|
||||
windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203,
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
the chrome-based defineProperty method is made available.
|
||||
|
||||
With the defineProperty method, functions belonging to window and document can be
|
||||
overriden with a function that gets called from chrome-privileged context. From here,
|
||||
overridden with a function that gets called from chrome-privileged context. From here,
|
||||
another vulnerability in the crypto.generateCRMFRequest function is used to "peek"
|
||||
into the context's private scope. Since the window does not have a chrome:// URL,
|
||||
the insecure parts of Components.classes are not available, so instead the AddonManager
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Java Applet Field Bytecode Verifier Cache Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in HotSpot bytecode verifier where an invalid
|
||||
optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent
|
||||
optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient
|
||||
type checks. This allows a way to escape the JRE sandbox, and load additional classes
|
||||
in order to perform malicious operations.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'JSON Swagger CodeGen Parameter Injector',
|
||||
'Description' => %q{
|
||||
This module generates a Open API Specification 2.0 (Swagger) compliant
|
||||
This module generates an Open API Specification 2.0 (Swagger) compliant
|
||||
json document that includes payload insertion points in parameters.
|
||||
|
||||
In order for the payload to be executed, an attacker must convince
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer.
|
||||
The vulnerability exists in the agentUpload servlet which accepts unauthenticated
|
||||
file uploads and handles zip file contents in a insecure way. By combining both
|
||||
file uploads and handles zip file contents in an insecure way. By combining both
|
||||
weaknesses a remote attacker can achieve remote code execution. This module has been
|
||||
tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions
|
||||
between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server,
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "Sun/Oracle GlassFish Server Authenticated Code Execution",
|
||||
'Description' => %q{
|
||||
This module logs in to an GlassFish Server (Open Source or Commercial) using various
|
||||
This module logs in to a GlassFish Server (Open Source or Commercial) using various
|
||||
methods (such as authentication bypass, default credentials, or user-supplied login),
|
||||
and deploys a malicious war file in order to get remote code execution. It has been
|
||||
tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
ISPConfig allows an authenticated administrator to export language settings into a PHP script
|
||||
which is intended to be reuploaded later to restore language settings. This feature
|
||||
can be abused to run aribtrary PHP code remotely on the ISPConfig server.
|
||||
can be abused to run aribitrary PHP code remotely on the ISPConfig server.
|
||||
|
||||
This module was tested against version 3.0.5.2.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'JBoss Seam 2 File Upload and Execute',
|
||||
'Description' => %q{
|
||||
Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly
|
||||
Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly
|
||||
sanitize inputs to some JBoss Expression Language expressions. As a
|
||||
result, attackers can gain remote code execution through the
|
||||
application server. This module leverages RCE to upload and execute
|
||||
|
|
|
|||
|
|
@ -17,8 +17,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => "Atlassian HipChat for Jira Plugin Velocity Template Injection",
|
||||
'Description' => %q{
|
||||
Atlassian Hipchat is a web service for internal instant messaging. A plugin is available
|
||||
for Jira that allows team collibration at real time. A message can be used to inject Java
|
||||
code into a Velocity template, and gain code exeuction as Jira. Authentication is required
|
||||
for Jira that allows team collaboration at real time. A message can be used to inject Java
|
||||
code into a Velocity template, and gain code execution as Jira. Authentication is required
|
||||
to exploit this vulnerability, and you must make sure the account you're using isn't
|
||||
protected by captcha. By default, Java payload will be used because it is cross-platform,
|
||||
but you can also specify which native payload you want (Linux or Windows).
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5.
|
||||
By storing user supplied headers in the databases session table it's possible to truncate the input
|
||||
by sending an UTF-8 character. The custom created payload is then executed once the session is read
|
||||
from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.
|
||||
from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.
|
||||
In later versions the deserialisation of invalid session data stops on the first error and the
|
||||
exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and
|
||||
5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
For IT360 targets, enter the RPORT of the ServiceDesk instance (usually 8400). All
|
||||
versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
|
||||
SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
|
||||
module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
|
||||
module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has
|
||||
been tested successfully in Windows and Linux on several versions.
|
||||
},
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'MediaWiki Thumb.php Remote Command Execution',
|
||||
'Description' => %q{
|
||||
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,
|
||||
when DjVu or PDF file upload support is enabled, allows remote unauthenticated
|
||||
when DjVu or PDF file upload support is enabled, allows remote unauthenticated
|
||||
users to execute arbitrary commands via shell metacharacters. If no target file
|
||||
is specified this module will attempt to log in with the provided credentials to
|
||||
upload a file (.DjVu) to use for exploitation.
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
1. This script may be invoked remotely without requiring authentication
|
||||
to any MT instance.
|
||||
2. Through a crafted POST request, it is possible to invoke particular
|
||||
database migration functions (i.e functions that bring the existing
|
||||
database migration functions (i.e. functions that bring the existing
|
||||
database up-to-date with an updated codebase) by name and with
|
||||
particular parameters.
|
||||
3. A particular migration function, core_drop_meta_for_table, allows
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
info,
|
||||
'Name' => 'Nibbleblog File Upload Vulnerability',
|
||||
'Description' => %q{
|
||||
Nibbleblog contains a flaw that allows a authenticated remote
|
||||
Nibbleblog contains a flaw that allows an authenticated remote
|
||||
attacker to execute arbitrary PHP code. This module was
|
||||
tested on version 4.0.3.
|
||||
},
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'OpenMediaVault Cron Remote Command Execution',
|
||||
'Description' => %q{
|
||||
OpenMediaVault allows an authenticated user to create cron jobs as aribtrary users on the system.
|
||||
OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system.
|
||||
An attacker can abuse this to run arbitrary commands as any user available on the system (including root).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
used to write a shell from a remote url to a known local path disclosed from the previous
|
||||
vulnerability.
|
||||
|
||||
The local path being accessable from an URL allows an attacker to perform the remote code
|
||||
The local path being accessible from an URL allows an attacker to perform the remote code
|
||||
execution using, for example, a .jsp shell.
|
||||
|
||||
This module was tested successfully on Windows and Oracle Forms and Reports 10.1.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in PhpTax, an income tax report
|
||||
generator. When generating a PDF, the icondrawpng() function in drawimage.php
|
||||
does not properly handle the pfilez parameter, which will be used in a exec()
|
||||
does not properly handle the pfilez parameter, which will be used in an exec()
|
||||
statement, and then results in arbitrary remote code execution under the context
|
||||
of the web server. Please note: authentication is not required to exploit this
|
||||
vulnerability.
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
an arbitrary payload embedded in a JSP. The module has been tested successfully on
|
||||
SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual
|
||||
Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run
|
||||
successfully while testing, shell payload have been used.
|
||||
successfully while testing, shell payload has been used.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a remote code execution vunlerability in Apache Struts
|
||||
This module exploits a remote code execution vulnerability in Apache Struts
|
||||
version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed
|
||||
via http Content-Type header.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue