rConfig version 3.93 suffers from an authenticated ajaxAddTemplate.php remote code execution vulnerability.

This Metasploit module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom PHP template system called TPL which is used in the PlaySMS template engine at src/Playsms/Tpl.php:_compile(). The vulnerability is triggered when an attacker supplied username with a malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a second time, results in code execution.

This Metasploit module exploits a vulnerability found in Pandora FMS 7.0NG and lower. net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands.

With Windows 2000 Microsoft introduced the inheritance of access rights and new Win32-API functions like SetNamedSecurityInfo() which handle the inheritance. SetNamedSecurityInfo() but has a serious bug: it applies inheritable ACEs from a PARENT object to a target object even if it must not do so, indicated by the flags SE_DACL_PROTECTED and/or SE_SACL_PROTECTED in the security descriptor of the target object.

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

This Metasploit module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user. An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As result of that backup process, when an attacker try to list existing backups injected payload will be executed.

This Metasploit module exploits an authenticated command injection vulnerability in the v-list-user-backups bash script file in Vesta Control Panel to gain remote code execution as the root user.

This Metasploit module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team.

Whitepaper called Blue Team vs. Red Team: How to run your encrypted binaries in memory and go undetected. This paper discusses the golden frieza project.

Trend Micro Maximum Security is vulnerable to arbitrary code execution as it allows for creation of registry key to target a process running as SYSTEM. This can allow a malware to gain elevated privileges to take over and shutdown services that require SYSTEM privileges like Trend Micros "Asmp" service "coreServiceShell.exe" which does not allow Administrators to tamper with them. This could allow an attacker or malware to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. Note administrator privileges are required to exploit this vulnerability.

NSClient++ version 0.5.2.35 suffers from an authenticated remote code execution vulnerability.

The Global TV Android and iOS applications send potentially sensitive information such as device model and resolution, mobile carrier, days since first use, days since last use, total number of app launches, number of app launches since upgrade, and previous app session length, unencrypted to both first (CNAME to third) and third party sites (Adobe Experience Cloud, ScorecardResearch). Global TV Android versions 2.3.2 and below and iOS versions 4.7.5 and below are affected.

The Citytv Video Android and iOS applications send potentially sensitive information such as device model and resolution, mobile carrier, days since first use, days since last use, total number of app launches, number of app launches since upgrade, and previous app session length, unencrypted to third party sites (Adobe Experience Cloud, ScorecardResearch). Citytv Video Android versions 4.08.0 and below and iOS versions 3.36 and below are affected.

The Cisco UCS Director virtual appliance contains two flaws that can be combined and abused by an attacker to achieve remote code execution as root. The first one, CVE-2019-1937, is an authentication bypass, that allows the attacker to authenticate as an administrator. The second one, CVE-2019-1936, is a command injection in a password change form, that allows the attacker to inject commands that will execute as root. This module combines both vulnerabilities to achieve the unauthenticated command injection as root. It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.

An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.

This Metasploit module exploits a vulnerability in Nagios XI versions before 5.6.6 in order to execute arbitrary commands as root. The module uploads a malicious plugin to the Nagios XI server and then executes this plugin by issuing an HTTP GET request to download a system profile from the server. For all supported targets except Linux (cmd), the module uses a command stager to write the exploit to the target via the malicious plugin. This may not work if Nagios XI is running in a restricted Unix environment, so in that case the target must be set to Linux (cmd). The module then writes the payload to the malicious plugin while avoiding commands that may not be supported. Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.6.5 running on CentOS 7. The module may behave differently against older versions of Nagios XI.

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

This Metasploit module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2.