what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 6 of 6

Files from Chris Anastasio

Softing Secure Integration Server 1.22 Remote Code Execution

Posted Jul 22, 2024

Authored by mr_me, Chris Anastasio, Imran E. Dawoodjee | Site metasploit.com

This Metasploit module chains two vulnerabilities to achieve authenticated remote code execution against Softing Secure Integration Server version 1.22. In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerability when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk. In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system. The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication. A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one.

tags | exploit, remote, arbitrary, local, spoof, vulnerability, code execution

systems | windows

advisories | CVE-2022-1373, CVE-2022-2334

SHA-256 | 138c45447c1d3fa090b4666327e202412f377f34d7873c3c578299783f2b2a43

Download | Favorite | View

Moodle 3.11.5 SQL Injection

Posted Mar 16, 2022

Authored by Chris Anastasio

Moodle version 3.11.5 suffers from an authenticated remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | e3e0c7cc36660ea59837d1a1c82382ac6a351a5640124aceb9c996e84a54cefe

Download | Favorite | View

Quest NetVault Backup Server Code Execution / SQL Injection

Posted Feb 22, 2019

Authored by rgod, Chris Anastasio

Quest NetVault Backup Server versions prior to 11.4.5 suffer from process manager service SQL injection and remote code execution vulnerabilities.

tags | exploit, remote, vulnerability, code execution, sql injection

advisories | CVE-2017-17417

SHA-256 | d64452d985968041fdc707a0dfbae3290f40711c502eb6aaaeb24a77072e2e6a

Download | Favorite | View

Check Point ZoneAlarm 8.8.1.110 Local Privilege Escalation

Posted Jan 17, 2019

Authored by Chris Anastasio

Check Point ZoneAlarm version 8.8.1.110 suffers from a local privilege escalation vulnerability.

tags | exploit, local

SHA-256 | 017c4375875f7ecb9494589e5292d5ebf3aec94dc014849bbc8f8c3255eff12b

Download | Favorite | View

IssueTrak 7.0 SQL Injection

Posted May 29, 2018

Authored by Chris Anastasio

IssueTrak version 7.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | 1ca72af0c55484ccd608194909c3cef48db5fddab1d068ca70b153fac71f0cc2

Download | Favorite | View

Kronos Telestaff SQL Injection

Posted Jun 5, 2017

Authored by Chris Anastasio, Mark F. Snodgrass

Kronos Telestaff versions prior to 2.92EU29 suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | 2026990b4ae0d270b09cc355b15de93ad0be6adf7836f695074b12d159a9b6bb

Download | Favorite | View