This Metasploit module uses a combination of an arbitrary file read (CVE-2024-34102) and a buffer overflow in glibc (CVE-2024-2961). It allows for unauthenticated remote code execution on various versions of Magento and Adobe Commerce (and earlier versions if the PHP and glibc versions are also vulnerable). Versions affected include 2.4.7 and earlier, 2.4.6-p5 and earlier, 2.4.5-p7 and earlier, and 2.4.4-p8 and earlier.
f1b5cba01a5fd2ecef43b7a58280b21a88a3060e64cb2735247437f0ade78ff4CVE-2024-30088 is a Windows kernel elevation of privilege vulnerability which affects many recent versions of Windows 10, Windows 11 and Windows Server 2022. The vulnerability exists inside the function called AuthzBasepCopyoutInternalSecurityAttributes specifically when the kernel copies the _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION of the current token object to user mode. When the kernel performs the copy of the SecurityAttributesList, it sets up the list of the SecurityAttributes structure directly to the user supplied pointed. It then calls RtlCopyUnicodeString and AuthzBasepCopyoutInternalSecurityAttributeValues to copy out the names and values of the SecurityAttribute leading to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.
a4e521839032a10c16e91b79eb43b6f9620dcc27482be434b0d2b62d5ac92e66This Metasploit module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a WordPress plugin that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default. The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.
6e09b750ae1a9a0b2b8f3c6e3aa95c6c27115a13bd3431b2f9fa3155e9f1d346The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data in the total_service parameter of the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), prior to using it in a dynamically constructed SQL query. As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive data from the backend database such as usernames and password hashes. This Metasploit module uses this vulnerability to dump the list of WordPress users and their associated email addresses and password hashes for cracking offline.
29ecfa5e38864b30d4aa9450311eb83d8df5628e2fbd5acbfcbc4a942cf3b816This Metasploit module exploits an authenticated SQL injection in SuiteCRM in versions before 7.12.6. The vulnerability allows an authenticated attacker to send specially crafted requests to the export entry point of the application in order to retrieve all the usernames and their associated password from the database.
668d40628faf73dd32554ae84c36e46a6ae67a8a8d4b003f7fec6bd01f8d03a0This Metasploit module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version 2023 Update 6 and 2021 Update 12. The vulnerability allows unauthenticated attackers to request authentication token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
e89b9c55f15b5bbc361d35004fa9ae593f647615c4b1b4703a7b67d828ea9ff3This Metasploit module exploits CVE-2024-27348, a remote code execution vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve remote code execution through Gremlin, resulting in complete control over the server.
b97d3ebb5977b249d01dc6eda8963e68e3e2fb294c007a301ee0a7f467c4e02dGeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets. In the GeoServer versions before 2.23.6, greater than or equal to 2.24.0, before 2.24.4 and greater than equal to 2.25.0, and before 2.25.1, multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the system.
60f349aa901f9dae2286ae790ca0dc4f7e03fb5120fbbaa6cd6f79d5a14fe921This Metasploit module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module's documentation for more details.
982a22adf692cbb4bdaff05b25b80fdc0ce425b51c83b4978f3522b5948bc977Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in turn allows for remote code execution in the context of the user running the application.
95a799d52023de4e870b8e6e3293276e9dc9c6116e4ec377371d107ab468f276Apache Solr versions 6.0.0 through 8.11.2 and versions 9.0.0 up to 9.4.1 are affected by an unrestricted file upload vulnerability which can result in remote code execution in the context of the user running Apache Solr. When Apache Solr creates a Collection, it will use a specific directory as the classpath and load some classes from it. The backup function of the Collection can export malicious class files uploaded by attackers to the directory, allowing Solr to load custom classes and create arbitrary Java code. Execution can further bypass the Java sandbox configured by Solr, ultimately causing arbitrary command execution.
982c87ed2032bff9e2a889f42db78ed065aa2707c068813f76b1c3875193d49dA remote SQL injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server) versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10. FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized platform for overseeing enrolled endpoints. The SQL injection vulnerability is due to user controller strings which can be sent directly into database queries. FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013 and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database. In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable to SQL injection. It can be used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code execution in the context of NT AUTHORITY\SYSTEM. Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet. It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient EMS for the necessary vulnerable services to be available.
5dc08a7c993a962915dd2867b371b86d2696d585975c16dd1ce9c50691286b53This Metasploit module exploits two vulnerabilities in Sharepoint 2019 - an authentication bypass as noted in CVE-2023-29357 which was patched in June of 2023 and CVE-2023-24955 which was a remote command execution vulnerability patched in May of 2023. The authentication bypass allows attackers to impersonate the Sharepoint Admin user. This vulnerability stems from the signature validation check used to verify JSON Web Tokens (JWTs) used for OAuth authentication. If the signing algorithm of the user-provided JWT is set to none, SharePoint skips the signature validation step due to a logic flaw in the ReadTokenCore() method. After impersonating the administrator user, the attacker has access to the Sharepoint API and is able to exploit CVE-2023-24955. This authenticated remote command execution vulnerability leverages the impersonated privileged account to replace the /BusinessDataMetadataCatalog/BDCMetadata.bdcm file in the webroot directory with a payload. The payload is then compiled and executed by Sharepoint allowing attackers to remotely execute commands via the API.
3b1724367c87a328eb0a2106c305037f2a413ec6310fe39613f91e443e4e1a9cThere exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage (NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices. The vulnerable endpoint is the quick.cgi component, exposed by the device's web based administration feature. The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used during either manual or cloud based provisioning of a QNAP NAS device. Once a device has been successfully initialized, the quick.cgi component is disabled on the system. An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command injection, allowing the attacker to execute arbitrary commands on the device.
512c538bc485b9095fb0fb14daba0e91a985496262d3017dc3aaf05f8005e9adThis Metasploit module exploits an unauthenticated remote command execution vulnerability in WordPress Backup Migration plugin versions 1.3.7 and below. The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint. The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution.
1feecca12306422ebe993c3821d87be77ad3056e719f9dcbae7c033f156e447fA buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. It has been dubbed Looney Tunables. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when launching binaries with SUID permission to execute code in the context of the root user. This Metasploit module targets glibc packaged on Ubuntu and Debian. Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911 however this module does not target them.
e48ab23fe12076a6f076606de74abf4141a72444bfb88e5c9ea8bf73a3f2b891This improper authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to the Confluence instance administrator. This Metasploit module uses the administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code execution on the target in the context of the of the user running the confluence server.
26d73b4952befcec0a56b50c408cd4fd4e5babeec09700eba379dfb85cf91c39This Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.
23552b23e1cc0e2022181944f8894c8f7203e6893e7d1127561c3ffd867b9517An unauthenticated remote code execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user. If no Admin user is created, the endpoint /cgi-bin/fax_change_faxtrace_settings is accessible without authentication. The endpoint allows the user to configure a number of different fax settings. A number of the configurable parameters on the page fail to be sanitized properly before being used in a bash eval statement, allowing for an unauthenticated user to run arbitrary commands.
55b25ea44278a5136992f906756ff24cc7e2991ab7847a6388c6522fffc7a70aA privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. This Metasploit module exploit makes use to two different kinds of specially crafted .blf files.
9aa5ede2ea03c876775407f0098c013dfd3c503cc4ebb1ee7306284def339699This Metasploit module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user.
ea4bf146aae20e6532518f5f14a0339f6c32348de42b3b15936e869ed48d8e04RocketMQ versions 5.1.0 and below are vulnerable to arbitrary code injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.
b33a501b649fb4900d4cb03d01bea674dda00bc78e807afce60061fd47ecfceaHitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is vulnerable to an authentication bypass (CVE-2022-43939) and a Server Side Template Injection (SSTI) vulnerability (CVE-2022-43769) that can be chained together to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server. The first vulnerability (CVE-2022-43939) is an authentication bypass which stems from a regex that allows any URL that ends in "/", followed by "require", optionally "-js" or "-cfg", any character, and then the string "js" followed optionally by "?" and then any characters of the attacker's choice. The second (CVE-2022-43769) is a server side template injection. This vulnerability allows remote code execution by making a GET request to /api/ldap/config/ldapTreeNodeChildren and setting the url parameter to ThymeLeaf template code. By abusing the ability to execute arbitrary Java classes within Thymeleaf templates, an attacker can execute arbitrary commands as the user running the Pentaho Business Analytics Server.
85e7f9076fc208c9c4ebe24ee580c0390563fe0f0db89e01aa897a906b078801This Metasploit module exploits CVE-2022-22960 which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.
c980fde4ce08516646fb2f75d7208c7f0bc88dcc1103403bca06bec378b78a76This Metasploit module combines two vulnerabilities in order achieve remote code execution in the context of the horizon user. The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection remote code execution vulnerability specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow for remote code execution.
7c29d90e3f3e9d482ff4bcd4e44dc3c7f3847da9e1f2f563dc1812dc6362bcd4
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed