This Metasploit module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only supports Exchange Server 2019. These vulnerabilities were patched in November 2022.
52e94b2539eeb923ed6dfcf33bf21788d037db18208e166670e34916d20844ddThis Metasploit module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU. Note that authentication is required to exploit these vulnerabilities.
357c3536b07ff810cec76347c7e5ce16faf862cac3951d66875221d4f487430dVMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password.
84c0696cc53d2e4bd749c04b694cbb8ae3676b266a9d0e92ecb77d88dc2558c3MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This Metasploit module will start an LDAP server that the target will need to connect to.
d15ef16680da0566fc6f0cd17aa36d661420fd2c8fbf3f002025e66fc8acc462A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the commands that are able to be executed through the git exec REST API.
0594780e2115769789da65e1767a8d75b4d0f855a6666360d2fca232bded2a21This Metasploit module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.
648d8ece02bf7d7dd92d3c2ff78f2d3824ad3f28474f3d288194a271823bc243The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.
1720ad267b345d6b91409cdb01c0ab129fc9f485ac71c4c4a816698bd6351239Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.
191fd2ef6dcf8a98bc701657de72fbfe2250e9ec9091b7372a38ea1abcff6241A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.
9902434a58e36c7838c71ee860592d8624368fc1b380cf4c9ccf530f09895fd2The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell vulnerability whereby a JNDI string can be sent to the server via the remember field of a POST request to the /api/login endpoint that will cause the server to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the server application. This Metasploit module will start an LDAP server that the target will need to connect to.
371aff703a1c6ed83abe19b12644a1663d1052646d88c385fcca8a64bc63db21VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on Windows. This Metasploit module will start an LDAP server that the target will need to connect to. This exploit uses the logon page vector.
a640959afe63b432e9f52c735f5ef2799a3bab57bd19790c2fcebb608d3e3a86This Metasploit module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit and load a payload. The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP server in addition to the LDAP server that the target can connect to. The targeted application must have the trusted code base option enabled for this technique to work. The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.
fb881ade3573c4c3970acc27f51ba1d3ac1aaff25446ea8e525ce3aca4d0ca4dThis Metasploit module exploits an unauthenticated command injection vulnerability within the Nimbus service component of Apache Storm. The getTopologyHistory RPC method method takes a single argument which is the name of a user which is concatenated into a string that is executed by bash. In order for the vulnerability to be exploitable, there must have been at least one topology submitted to the server. The topology may be active or inactive, but at least one must be present. Successful exploitation results in remote code execution as the user running Apache Storm. This vulnerability was patched in versions 2.1.1, 2.2.1 and 1.2.4. This exploit was tested on version 2.2.0 which is affected.
bdeabaf8ee1de5cc701765d5b3a2960189a0cd18ac93bcb180979bd32c8d528aThis Metasploit module demonstrates that by removing the authentication exchange, an attacker can issue requests to the local OMI management socket that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).
421ae743686547f1ecd98e3086fa9370482e6a9646a5f30c18b32491b7848309By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).
fdef0aef0e912b6be1749a8d91235a8ce5f95d8c64ee36efaa66917951a81206An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application. This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 through 12.5.328.
a64897f563277f473cabf805ba128ebed5a9f941959e6b9130ab7f541f5a6e50This Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.
b555cd3b9862ec567195ff3003e6dc453483630a7c663ee17d582778c11dbf59This Metasploit module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user. This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and thus is susceptible to the same issue.
7ab7e165e1eabb4c0774d5b02fa501308e44a10ac91af40c1b4ed6a62fc60ca6A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a method over D-Bus and kills the client process. This will occasionally cause the operation to complete without being subjected to all of the necessary authentication. The exploit module leverages this to add a new user with a sudo access and a known password. The new account is then leveraged to execute a payload with root privileges.
4a469ac4141ad75d095a953ed9262ad9287b8c479e96a68695a89371d81439ebThis Metasploit module leverages a flaw in runc to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the runc binary with the payload and waits for someone to use docker exec to get into the container. This will trigger the payload execution. Note that executing this exploit carries important risks regarding the Docker installation integrity on the target and inside the container.
cccb41227aca832e89e9a6f586e66617bdec002e1dded9d5addd44548302edb1The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user supplied data. This can be leveraged by an attacker to leak sensitive information in rendered-preview content. This module will leak the ViewState validation key and then use it to sign a crafted object that will trigger code execution when deserialized. Tested against SharePoint 2019 and SharePoint 2016, both on Windows Server 2016.
5dcb06868c15ec6031a011204cbd74de26b37669890217421638293a9f77e49bThe DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker to read and write kernel-mode memory.
60c28ef1ac35891f12da2b7098fca05a34362d8c69f7050055509277585d70abThis Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for versions prior to 17.12.06.
1a3d79d4b32857119cfd6ad9c273dd5c7dfc3e857b95b83ad391b6001cc0de14This Metasploit module exploits an unauthenticated configuration change combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM. This issue was demonstrated in the vulnerable version 5.7.02.5992 and fixed in version 5.7.03.6112.
871b6bdcb75f943757231fe70d369aecb3bf02147c4c50b85ea3a12f3efaabe4A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation.
ed073b3c17d4f49ffa13834abab3bf326257f8e012a4c37b26486bc312e9e80d
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed