This Metasploit module retrieves masthead, site, and available package information from IBM BigFix Relay Servers.
0b7bd2a7349296cdb8ba1a119f5620f2d6426c6e3d15107e524b74a942e1630bThis Metasploit module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.
9beedad3e3c3103e0197e08fdbc451bf1f5445929f6c5022c987a0616228427cThis Metasploit module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.
eb306cad88b29720e7dac7d13bc441bdf247266d948c8cc0122be192d6f3a8f2This Metasploit module allows remote attackers to cause a denial of service (DoS) in MiniUPnP 1.0 server via a specifically crafted UDP request.
ae95c1cc86778001a1fb62a7b55dfa5b18cd92ec1effb4c0c6c39cb0dab75bd7This Metasploit module triggers an off-by-two overflow in the rsyslog daemon. This flaw is unlikely to yield code execution but is effective at shutting down a remote log daemon. This bug was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5. Compiler differences may prevent this bug from causing any noticeable result on many systems (RHEL6 is affected).
1836af5218b01b297dea76f88ecafa1e2a6576adefd69c53dfff4c3fec648662This Metasploit module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. This can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
95022dc08f8106c2bfcbc5fc9fe727e0e71c4943a6a8bcd56c32e2819748cf7fThis Metasploit module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory, and finally gains root code execution by exploiting a vulnerable cron script. This Metasploit module uses an initial reverse TLS callback to stage arbitrary payloads on the target appliance. The cron job used for the final payload runs every 15 minutes by default and exploitation can take up to 20 minutes.
f9f9ce5b8abd0f8306e641f3db279345c840570cf53ebfcf9179efb66f27a90fThis Metasploit module triggers an arbitrary shared library load vulnerability in GoAhead web server versions between 2.5 and that have the CGI module enabled.
bee949e92c0ea2f22d837f57390d8e28e16e861007e5e679292d373e6ac8037aThis Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
467d157dc1bbf3f036cc0f63f280fa7c6781fd91ca452708aab53393895c5ba1This Metasploit module exploits a type confusion vulnerability in Ghostscript that can be exploited to obtain arbitrary command execution. This vulnerability affects Ghostscript versions 9.21 and earlier and can be exploited through libraries such as ImageMagick and Pillow.
a27fc20d6d651965282082a1c0885428cca7397e09bbfd29c3bb60a249fb12b3This Metasploit module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This Metasploit module targets the 'ping.sh' CGI script, accessible through the Boa web server on Advantech switches. This Metasploit module was tested against firmware version 1322_D1.98.
2d07c4e5c3e954a7d9efc2a4e7d397f7e69058ab0c07cd400854d45c65db2f07This Metasploit module exploits a metacharacter shell injection vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'oauth_token' is passed into a system() call within a mod_perl handler. This Metasploit module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on version FTA_9_11_200, but may apply to previous versions as well. This issue was fixed in software update FTA_9_11_210.
6469c1b4105f729eff01d7b1743b30cbc9388e3b867763c2295eb78c0197f9dcThis Metasploit module exploits the fact that Ceragon ships a public/private key pair on FibeAir IP-10 devices that allows passwordless authentication to any other IP-10 device. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as the "mateidu" user.
3ffda87a127eecead37db406771d24d73a3f8fb62c5608cc9113f96992bf3bc3This Metasploit module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected.
8029e1794748c6b847a3fcb2ff96b2b28fc0fde9bdbb4d42498a35812e402c16This Metasploit module exploits a PHP Code Injection vulnerability against WordPress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically find or bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on WordPress must be unchecked for successful exploitation. This Metasploit module has been tested against WordPress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
bed096490dc9d7e2c3e5ae3b9e8234d981926a7705dfde36023179c919fb54aaThis Metasploit module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The vulnerability exists on the web fronted, specifically on the np_handler.pl component, due to the insecure usage of the eval() perl function. This Metasploit module has been tested successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment, not on real hardware.
bde67c6d5bd2eaadf289392fe66c898b1b40583f113cc479740f75c0912c0b93This Metasploit module exploits a buffer overflow on the Supermicro Onboard IPMI controller web interface. The vulnerability exists on the close_window.cgi CGI application, and is due to the insecure usage of strcpy. In order to get a session, the module will execute system() from libc with an arbitrary CMD payload sent on the User-Agent header. This Metasploit module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214.
3db49add914cadb4e6f7130ba3b4a6a1c8c69c567c9d6a7d82b5980b09616017This Metasploit module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll and is not supported on x64 editions of Windows.
b61f14f2873aa1c647ab01600db74d813ae4c68913ed531266fd588ac8aff25aThis Metasploit module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present in the SOAPAction HTTP header handling.
399dfaf3edd72eb325ee021863dfd3a6e0d3ef47515d4072e0bc7526808df658This Metasploit module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on Wordpress must be unchecked for successful exploitation. This Metasploit module has been tested against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
e5ac9a6fad8c4d6319f7a5b50dd28589a34b1e7d2753c81dd9c0c17b9fb0bb79A few weeks ago, DefenseCode announced the remote pre-auth root access exploit for Cisco Linksys. During further research, they have discovered that other router manufacturers are also vulnerable to the same vulnerability, since the vulnerable Broadcom UPnP stack is used across multiple router vendors. Rapid7 has produced some scary numbers surrounding how many routers are affected on the Internet.
973bb983a4d13f077857f0d5faee4a6aaf7969bdaa84af71296a5aabd7a67568This Metasploit module exploits a buffer overflow in the unique_service_name() function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this exploit uses a separate TCP listener to stage the real payload.
a7af761c0a55f9166f6f6555c6b5bf62d458d99f52fd09af4ef8ec52d41ace3bThis Metasploit module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This Metasploit module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.
d099a77a1ca32680eece9ad884f4cd0bf31f1df58198575de5142cf570a88342This Metasploit module exploits the default credentials of Apple iOS when it has been jailbroken and the passwords for the 'root' and 'mobile' users have not been changed.
54dd4f5278bc9c7459a9eb628b204ee6a8e4bb9050d89979261c0c78390b9f3aThis Metasploit module exploits an arbitrary code execution backdoor placed into phpMyAdmin version 3.5.2.2 through a compromised SourceForge mirror.
59077add4c187d53c147d92602048e756381c136f672e418d6ccc8272b22fa12
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed