exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 109 RSS Feed

Files from Pedro Ribeiro

Real Nameribeirux
Email addressprivate
First Active2012-08-17
Last Active2024-09-01
View User Profile
ManageEngine DeviceExpert User Credentials
Posted Sep 1, 2024
Authored by Brendan Coles, Pedro Ribeiro | Site metasploit.com

This Metasploit module extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior. This Metasploit module has been tested successfully on DeviceExpert version 5.9.7 build 5970.

tags | exploit
advisories | CVE-2014-5377
SHA-256 | 79fe4ba92356fc084ff5c7845a61a883366dba4b943255ae8ace8a852e28608c
NETGEAR ProSafe Network Management System 300 Authenticated File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

Netgears ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file download vulnerability that can be exploited by an authenticated remote attacker to download any file in the system. This Metasploit module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.

tags | exploit, remote
systems | windows
advisories | CVE-2016-1524
SHA-256 | 7b6ab6ffa9844979171a203a6fb43f5906cc96114b0f4b811979aee8938f1df6
IBM Data Risk Manager Arbitrary File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by an unauthenticated attacker to download arbitrary files off the system. The first is an unauthenticated bypass, followed by a path traversal. This Metasploit module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files. A downloaded file is zipped, and this module also unzips it before storing it in the database. By default this module downloads Tomcats application.properties files, which contains the database password, amongst other sensitive data. At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory. Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.

tags | exploit, arbitrary, root, vulnerability
advisories | CVE-2020-4427, CVE-2020-4429
SHA-256 | 9ae2166292b30a40f14f7b3a6f76f04daf5d74302789dc5335a3d93c56fc8d0f
Kaseya VSA Master Administrator Account Creation
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses the setAccount page on Kaseya VSA between 7 and 9.1 to create a new Master Administrator account. Normally this page is only accessible via the localhost interface, but the application does nothing to prevent this apart from attempting to force a redirect. This Metasploit module has been tested with Kaseya VSA v7.0.0.17, v8.0.0.10 and v9.0.0.3.

tags | exploit
advisories | CVE-2015-6922
SHA-256 | e1841c8b0337c3452bf57ed8cf0802fbe917a2421419b4624898bce377235405
SysAid Help Desk Arbitrary File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits two vulnerabilities in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. First, an information disclosure vulnerability (CVE-2015-2997) is used to obtain the file system path, and then we abuse a directory traversal (CVE-2015-2996) to download the file. Note that there are some limitations on Windows, in that the information disclosure vulnerability doesnt work on a Windows platform, and we can only traverse the current drive (if you enter C:\afile.txt and the server is running on D:\ the file will not be downloaded). This Metasploit module has been tested with SysAid 14.4 on Windows and Linux.

tags | exploit, arbitrary, vulnerability, info disclosure
systems | linux, windows
advisories | CVE-2015-2996, CVE-2015-2997
SHA-256 | d2fb2969a8c58608b9b608d975acd9ca05c3df75f68ee7d1fffe92900e654527
ManageEngine Multiple Products Arbitrary Directory Listing
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits a directory listing information disclosure vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It makes a recursive listing, so it will list the whole drive if you ask it to list / in Linux or C:\ in Windows. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This Metasploit module will attempt to login using the default credentials for the administrator and guest accounts; alternatively you can provide a pre-authenticated cookie or a username / password combo. For IT360 targets enter the RPORT of the OpManager instance (usually 8300). This Metasploit module has been tested on both Windows and Linux with several different versions. Windows paths have to be escaped with 4 backslashes on the command line. There is a companion module that allows for arbitrary file download. This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.

tags | exploit, arbitrary, info disclosure
systems | linux, windows
advisories | CVE-2014-7863
SHA-256 | 1f5d0f7e10dd5b6c09b90cd5d4d3fca387739cf0db6fa4fe7cb1b52448b0be88
Netgear R6700v3 Unauthenticated LAN Admin Password Reset
Posted Aug 31, 2024
Authored by Pedro Ribeiro, Radek Domanski, gwillcox-r7 | Site metasploit.com

This Metasploit module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd), on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset the password for the admin user back to its factory default of password. Authentication is bypassed by using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58 firmware, however support for other firmware versions may be added in the future. Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can then log into this telnet server using the new password, and obtain a shell as the "root" user. These last two steps have to be done manually, as the authors did not reverse the communication with the web interface. It should be noted that successful exploitation will result in the upnpd binary crashing on the target router. As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit this vulnerability once per reboot of the router. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski).

tags | exploit, web, overflow, shell, root, udp, tcp
systems | linux
advisories | CVE-2020-10923, CVE-2020-10924
SHA-256 | 9761d8c2da4ee95f5c6b4cfd77d3759b606692ed519993f3da76a637e562671b
WebNMS Framework Server Arbitrary Text File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to download files off the file system by using a directory traversal attack on the FetchFile servlet. Note that only text files can be downloaded properly, as any binary file will get mangled by the servlet. Also note that for Windows targets you can only download files that are in the same drive as the WebNMS installation. This Metasploit module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.

tags | exploit
systems | linux, windows
advisories | CVE-2016-6601
SHA-256 | d53e20ca4f6748cc2ecc344982adb4173a0413426b1595cb3eb67d5d845d913d
ManageEngine Desktop Central Administrator Account Creation
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an administrator account creation vulnerability in Desktop Central from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in several versions of Desktop Central (including MSP) from v7 onwards.

tags | exploit
advisories | CVE-2014-7862
SHA-256 | 20fdc34243ea93d07d9efa56530ba5fc89fcfe5486cde29ec4959e7baf0b00e5
NETGEAR WNR2000v5 Administrator Password Recovery
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery. This vulnerability can be exploited by an unauthenticated attacker who is able to guess the value of a certain timestamp which is in the configuration of the router. Brute forcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be bruteforced. This Metasploit module works very reliably and it has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with the hardware revisions v4 and v3, but this has not been tested.

tags | exploit
advisories | CVE-2016-10175, CVE-2016-10176
SHA-256 | 732e6fa6166a24c612ef12a90f5f518874bfb536abb10e08608e1b6b32c2c86a
ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then use his privileges to dump the whole password database in CSV format. PMP can use both MySQL and PostgreSQL databases but this module only exploits the latter as MySQL does not support stacked queries with Java. PostgreSQL is the default database in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL, so a higher version does not guarantee exploitability. This Metasploit module has been tested on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in v7.1 build 7105 and above.

tags | exploit, java, sql injection
systems | linux, windows
advisories | CVE-2014-8499
SHA-256 | 3bb1458e9aceabbc6baaf58c805fc36d04c4e787a9a2a98f33a3d697bff053f3
SysAid Help Desk Administrator Account Creation
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to create an administrator account. Note that this exploit will only work once. Any subsequent attempts will fail. On the other hand, the credentials must be verified manually. This Metasploit module has been tested on SysAid 14.4 in Windows and Linux.

tags | exploit
systems | linux, windows
advisories | CVE-2015-2993
SHA-256 | 55887bc8ab7631e86e8b6aaf58e82554736c64752f4de2a875351997370b165a
ManageEngine Multiple Products Arbitrary File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an arbitrary file download vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This Metasploit module will attempt to login using the default credentials for the administrator and guest accounts; alternatively you can provide a pre-authenticated cookie or a username and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually 8300). This Metasploit module has been tested on both Windows and Linux with several different versions. Windows paths have to be escaped with 4 backslashes on the command line. There is a companion module that allows the recursive listing of any directory. This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.

tags | exploit, arbitrary
systems | linux, windows
advisories | CVE-2014-7863
SHA-256 | ab1da9467d95d26cb5271376592036167d2ec0d3ad01d9799864c1393dc93294
SysAid Help Desk Database Credentials Disclosure
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. This is used to download the server configuration file that contains the database username and password, which is encrypted with a fixed, known key. This Metasploit module has been tested with SysAid 14.4 on Windows and Linux.

tags | exploit, arbitrary
systems | linux, windows
advisories | CVE-2015-2996, CVE-2015-2998
SHA-256 | b9b1becfc83399291108c7053d30f4f6739044bf3b854147ee073c22f603685f
WebNMS Framework Server Credential Disclosure
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract all user credentials. The first vulnerability is an unauthenticated file download in the FetchFile servlet, which is used to download the file containing the user credentials. The second vulnerability is that the passwords in the file are obfuscated with a very weak algorithm which can be easily reversed. This Metasploit module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.

tags | exploit, vulnerability
systems | linux, windows
advisories | CVE-2016-6601, CVE-2016-6602
SHA-256 | 920ab46fcd5545eacf0f458c18ec16f0dc99a62c34cfcf226560202b3fa048a1
NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load And Administrator Password Reset
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable to an administrator password reset on the exposed web management interface. Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware (before v1.7.6), otherwise you need an administrative user password. This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.

tags | exploit, web
advisories | CVE-2016-5676
SHA-256 | f89702d9f62965d55bdc4a0ef852023698d020ddaba49489c562311fe22ec264
ManageEngine NetFlow Analyzer Arbitrary File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an arbitrary file download vulnerability in CSVServlet on ManageEngine NetFlow Analyzer. This Metasploit module has been tested on both Windows and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you must escape the backslash with a backslash.

tags | exploit, arbitrary
systems | linux, windows
advisories | CVE-2014-5445
SHA-256 | 711db307d94f8b02394989ab641a6bafc0152d792bb3f5ba8757d19f01dc8419
Cisco Data Center Network Manager Unauthenticated File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

DCNM exposes a servlet to download files on /fm/downloadServlet. An authenticated user can abuse this servlet to download arbitrary files as root by specifying the full path of the file. This Metasploit module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2019-1619, CVE-2019-1621
SHA-256 | 405b00bb4d79db5348b3c12e604b6e404da1f9cceecda00a4b54d45d591a379d
BMC / Numara Track-It! Domain Administrator and SQL Server User Password Disclosure
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits an unauthenticated configuration retrieval .NET remoting service in Numara / BMC Track-It! v9 to v11.X, which can be abused to retrieve the Domain Administrator and the SQL server user credentials. This Metasploit module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107, 10.0.0.143 and 9.0.30.248.

tags | exploit
advisories | CVE-2014-4872
SHA-256 | c4393d13ad749aa7034ef30f6397d0ec4a5b81ec900725fcf1389deef93b9f50
Nuuo Central Management Server User Session Token Bruteforce
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

Nuuo Central Management Server below version 2.4 has a flaw where it sends the heap address of the user object instead of a real session number when a user logs in. This can be used to reduce the keyspace for the session number from 10 million to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries. This Metasploit module does exactly that - it uses a computed occurrence table to try the most common combinations up to 1.2 million to try to guess a valid user session. This session number can then be used to achieve code execution or download files - see the other Nuuo CMS auxiliary and exploit modules. Note that for this to work a user has to be logged into the system.

tags | exploit, code execution
advisories | CVE-2018-17888
SHA-256 | c1949e906b9cc342b13ee1e7b1d1b1bacca9af763cdde96f15a79d10f4355c4d
ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that allow an unauthenticated user to obtain the superuser password of any managed Windows and AS/400 hosts. This Metasploit module abuses both vulnerabilities to collect all the available usernames and passwords. First the agentHandler servlet is abused to get the hostid and slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7, the TARGETURI has to be prepended with /event.

tags | exploit, vulnerability
systems | windows
advisories | CVE-2014-6038, CVE-2014-6039
SHA-256 | cf6c91d1c77d2fca8023377a66d608f17e44c3139185d9fb5ca90dd2c152cc59
Nuuo Central Management Server Authenticated Arbitrary File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

The Nuuo Central Management Server allows an authenticated user to download files from the installation folder. This functionality can be abused to obtain administrative credentials, the SQL Server database password and arbitrary files off the system with directory traversal. The module will attempt to download CMServer.cfg (the user configuration file with all the user passwords including the admin one), ServerConfig.cfg (the server configuration file with the SQL Server password) and a third file if the FILE argument is provided by the user. The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules included in Metasploit, these files cannot be decrypted programmatically. The user will have to open them with zip or a similar program and provide the default password "NUCMS2007!". This Metasploit module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. All versions of CMS server up to and including 3.5 are vulnerable to this attack.

tags | exploit, arbitrary, ruby
advisories | CVE-2018-17934
SHA-256 | ab3ebff0713f2be89827e8e121deb46c11ff5fb4091d26d14c9a9bd041ea245f
Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
Posted May 11, 2022
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.

tags | exploit, overflow, shell, root, shellcode
systems | cisco
advisories | CVE-2022-20699
SHA-256 | 619682621429d96cd23a1e1bcd69a008398c5244223265886c52e2e417242d02
Micro Focus Operations Bridge Reporter Unauthenticated Command Injection
Posted Apr 30, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on login that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. It is a straight up command injection, with little escaping required, and it works before authentication. This module has been tested on the Linux 10.40 version.

tags | exploit
systems | linux
advisories | CVE-2021-22502
SHA-256 | 86c50279de70c09dd3d6cb11b4b245b4e8b6b272a33434965e6bc86812dced42
Micro Focus Operations Bridge Reporter shrboadmin Default Password
Posted Apr 30, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password on Micro Focus Operations Bridge Reporter. The shrboadmin user, installed by default by the product has the password of shrboadmin, and allows an attacker to login to the server via SSH. This module has been tested with Micro Focus Operations Bridge Manager 10.40. Earlier versions are most likely affected too. Note that this is only exploitable in Linux installations.

tags | exploit
systems | linux
advisories | CVE-2020-11857
SHA-256 | f916dce1d07e07e927e2802d2dca83cb6a07b9d397ca34c5d01f9b2245b2667b
Page 1 of 5
Back12345Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close