remo

PhreeBooks ERP 5.2.5 Remote Command Execution

PhreeBooks ERP version 5.2.5 suffers from a remote command execution vulnerability.




remo

Kentico CMS 12.0.14 Remote Command Execution

This Metasploit module exploits a vulnerability in the Kentico CMS platform versions 12.0.14 and earlier. Remote command execution is possible via unauthenticated XML requests to the Staging Service SyncServer.asmx interface ProcessSynchronizationTaskData method stagingTaskData parameter. XML input is passed to an insecure .NET deserialize call which allows for remote command execution.







remo

HC10 HC.Server Service 10.14 Remote Invalid Pointer Write

The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794. In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved. If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence. Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program. The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService". Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10.




remo

Prestashop 1.7.6.4 XSS / CSRF / Remote Code Execution

Prestashop versions 1.7.6.4 and below suffer from code execution, cross site request forgery, and cross site scripting vulnerabilities.




remo

Cisco Data Center Network Manager Unauthenticated Remote Code Execution

DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).




remo

FileThingie 2.5.7 Remote Shell Upload

FileThingie version 2.5.7 suffers from a remote shell upload vulnerability.




remo

Linear eMerge E3 1.00-06 Arbitrary File Upload Remote Root Code Execution

Linear eMerge E3 versions 1.00-06 and below arbitrary file upload remote root code execution exploit.




remo

Optergy 2.3.0a Remote Root

Optergy versions 2.3.0a and below authenticated file upload remote root code execution exploit.




remo

PHP-FPM 7.x Remote Code Execution

This Metasploit module exploits an underflow vulnerability in PHP-FPM versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certain Nginx + PHP-FPM configurations are exploitable. This is a port of the original neex's exploit code (see refs). First, it detects the correct parameters (Query String Length and custom header length) needed to trigger code execution. This step determines if the target is actually vulnerable (Check method). Then, the exploit sets a series of PHP INI directives to create a file locally on the target, which enables code execution through a query string parameter. This is used to execute normal payload stagers. Finally, this module does some cleanup by killing local PHP-FPM workers (those are spawned automatically once killed) and removing the created local file.




remo

rConfig 3.93 Authenticated Remote Code Execution

rConfig version 3.93 suffers from an authenticated ajaxAddTemplate.php remote code execution vulnerability.




remo

rConfig 3.9.4 Remote Command Injection

rConfig version 3.9.4 suffers from a search.crud.php remote command injection vulnerability.




remo

Pandora FMS 7.0NG Remote Code Execution

Pandora FMS version 7.0NG suffers from a net_tools.php remote code execution vulnerability.




remo

Pandora FMS Ping Authenticated Remote Code Execution

This Metasploit module exploits a vulnerability found in Pandora FMS 7.0NG and lower. net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands.




remo

ThinkPHP 5.0.23 Remote Code Execution

This Metasploit module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software. Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.




remo

CentOS-WebPanel.com Control Web Panel 0.9.8.836 Remote Command Execution

CentOS-WebPanel.com Control Web Panel (CWP) version 0.9.8.836 suffers from a remote command execution vulnerability.




remo

rConfig 3.9.4 searchField Remote Code Execution

rConfig version 3.9.4 searchField unauthenticated remote root code execution exploit.




remo

Vesta Control Panel Authenticated Remote Code Execution

This Metasploit module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user. An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As result of that backup process, when an attacker try to list existing backups injected payload will be executed.




remo

Vesta Control Panel Authenticated Remote Code Execution

This Metasploit module exploits an authenticated command injection vulnerability in the v-list-user-backups bash script file in Vesta Control Panel to gain remote code execution as the root user.




remo

TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution

This Metasploit module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team.




remo

Liferay Portal Java Unmarshalling Remote Code Execution

This Metasploit module exploits a Java unmarshalling vulnerability via JSONWS in Liferay Portal versions prior to 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.




remo

Nexus Repository Manager 3.21.1-01 Remote Code Execution

This Metasploit module exploits a Java Expression Language (EL) injection in Nexus Repository Manager versions up to and including 3.21.1 to execute code as the Nexus user. Tested against 3.21.1-01.




remo

netkit-telnet 0.17 Remote Code Execution

netkit-telnet version 0.17 telnetd on Fedora 31 BraveStarr remote code execution exploit.




remo

Sagemcom Fast 3890 Remote Code Execution

This exploit uses the Cable Haunt vulnerability to open a shell for the Sagemcom F@ST 3890 (50_10_19-T1) cable modem. The exploit serves a website that sends a malicious websocket request to the cable modem. The request will overflow a return address in the spectrum analyzer of the cable modem and using a rop chain start listening for a tcp connection on port 1337. The server will then send a payload over this tcp connection and the modem will start executing the payload. The payload will listen for commands to be run in the eCos shell on the cable modem and redirect STDOUT to the tcp connection.




remo

Yes, You Can Remotely Hack Factory, Building Site Cranes. Wait, What?




remo

NEC Univerge SV9100/SV8100 WebPro 10.0 Remote Configuration Download

NEC Univerge SV9100/SV8100 WebPro version 10.0 suffers from a remote configuration download vulnerability. The gzipped telephone system configuration file 'config.gz' or 'config.pcpx' that contains the unencrypted data file 'conf.pcpn', can be downloaded by an attacker from the root directory if previously generated by a privileged user.




remo

NagiosXI 5.6 Remote Command Execution

This is a whitepaper tutorial that walks through creating a proof of concept exploit for a remote command execution vulnerability in NagiosXI version 5.6.




remo

Symantec Web Gateway 5.0.2.8 Remote Command Execution

This is a whitepaper tutorial that walks through creating a proof of concept exploit for a pre-authentication remote command execution vulnerability in Symantec Web Gateway version 5.0.2.8.




remo

NagiosXI 5.6.11 Remote Command Execution

This is a whitepaper tutorial that describes steps taken to identify post-authentication remote command execution vulnerabilities in NagiosXI version 5.6.11.




remo

ManageEngine 14 Remote Code Execution

This is a whitepaper tutorial that describes steps taken to identify post-authentication remote code execution vulnerabilities in ManageEngine version 14.




remo

Symantec Web Gateway 5.0.2.8 Remote Code Execution

This is a whitepaper tutorial that describes steps taken to identify post-authentication remote code execution vulnerabilities in Symantec Web Gateway version 5.0.2.8.




remo

Blind CreateRemoteThread Privilege Escalation

Whitepaper called Blind CreateRemoteThread Privilege Escalation.




remo

Oracle WebLogic 12.1.2.0 Remote Code Execution

Oracle WebLogic version 12.1.2.0 RMI registry UnicastRef object java deserialization remote code execution exploit.




remo

IQrouter 3.3.1 Remote Code Execution

IQrouter firmware version 3.3.1 suffers from a remote code execution vulnerability.




remo

NSClient++ 0.5.2.35 Authenticated Remote Code Execution

NSClient++ version 0.5.2.35 suffers from an authenticated remote code execution vulnerability.




remo

Edimax EW-7438RPn 1.13 Remote Code Execution

Edimax EW-7438RPn version 1.13 suffers from a remote code execution vulnerability.




remo

Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution

Furukawa Electric ConsciusMAP version 2.8.1 java deserialization remote code execution exploit.




remo

School ERP Pro 1.0 Remote Code Execution

School ERP Pro version 1.0 suffers from a remote code execution vulnerability.




remo

Open-AudIT Professional 3.3.1 Remote Code Execution

Open-AudIT Professional version 3.3.1 suffers from a remote code execution vulnerability.




remo

SimplePHPGal 0.7 Remote File Inclusion

SimplePHPGal version 0.7 suffers from a remote file inclusion vulnerability.




remo

Saltstack 3000.1 Remote Code Execution

Saltstack version 3000.1 suffers from a remote code execution vulnerability.




remo

ManageEngine Asset Explorer Windows Agent Remote Code Execution

The ManageEngine Asset Explorer windows agent suffers form a remote code execution vulnerability. All versions prior to 1.0.29 are affected.




remo

Cisco UCS Director Unauthenticated Remote Code Execution

The Cisco UCS Director virtual appliance contains two flaws that can be combined and abused by an attacker to achieve remote code execution as root. The first one, CVE-2019-1937, is an authentication bypass, that allows the attacker to authenticate as an administrator. The second one, CVE-2019-1936, is a command injection in a password change form, that allows the attacker to inject commands that will execute as root. This module combines both vulnerabilities to achieve the unauthenticated command injection as root. It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.




remo

Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification

Cisco Content Security Virtual Appliance M380 IronPort remote cross site host modification demo exploit.




remo

Cisco Discovery Protocol (CDP) Remote Device Takeover

Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices.




remo

Cisco Data Center Network Manager 11.2 Remote Code Execution

Cisco Data Center Network Manager version 11.2 remote code execution exploit.




remo

Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak

An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.




remo

GitLab Awards Researcher $20,000 For Remote Code Execution Bug