Metasploit modules

CVE-2023-40498

This Metasploit module exploits broken access control and directory traversal vulnerabilities in LG Simple Editor software for gaining code execution. The vulnerabilities exist in versions of LG Simple Editor prior to v3.21. By exploiting this flaw, an attacker can upload and execute a malicious JSP payload with the SYSTEM user permissions.

More information

CVE-2023-38831

This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution. Authors: - Alexander "xaitax" Hagenah

More information

CVE-2023-38035

This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user. Authors: - Zach Hanley - James Horseman - jheysel-r7

More information

CVE-2023-32560

This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1. An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions. This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types. The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack. Upon successful exploitation the attacker gains full access to the target system. This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10. Authors: - Ege BALCI egebalci <Ege BALCI [email protected]> - A researcher at Tenable

More information

CVE-2022-39986

RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Successfully tested against RaspAP 2.8.0 and 2.8.7. Authors: - Ege BALCI <[email protected]> - Ismael0x00

More information

Maltrail is a malicious traffic detection system, utilizing publicly available blacklists containing malicious and/or generally suspicious trails. The Maltrail versions < 0.54 is suffering from a command injection vulnerability. The `subprocess.check_output` function in `mailtrail/core/http.py` contains a command injection vulnerability in the `params.get("username")` parameter. An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication. Successfully tested against Maltrail versions 0.52 and 0.53. Authors: - Ege BALCI <[email protected]> - Chris Wild

More information

CVE-2023-34634

There exists a .NET deserialization vulnerability in Greenshot version 1.3.274 and below. The deserialization allows the execution of commands when a user opens a Greenshot file. The commands execute under the same permissions as the Greenshot service. Typically, is the logged in user. Authors: - p4r4bellum - bwatters-r7

More information

CVE-2023-38646

Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6. Authors: - h00die - Maxwell Garrett - Shubham Shah

More information

CVE-2023-3519

A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root. Authors: - Ron Bowes - Douglass McKee - Spencer McIntyre - rwincey

More information

CVE-2023-34124 CVE-2023-34133 CVE-2023-34132 CVE-2023-34127

This module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions <= 9.9.9320. Authors: - fulmetalpackets <fulmetalpa[email protected]> - Ron Bowes <[email protected]>

More information

CVE-2023-25826 CVE-2023-36812

This module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.1 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the key parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.4.1. Authors: - Gal Goldstein - Daniel Abeles - Erik Wynter

More information

CVE-2023-30625

This Metasploit module exploits a SQL injection vulnerability in RudderStack's rudder-server, an open source Customer Data Platform (CDP). The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1. By exploiting this flaw, an attacker can execute arbitrary SQL commands, which may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgreSQL having superuser permissions by default.

More information

CVE-2023-34468

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells (5-7). Successfully tested against Apache nifi 1.17.0 through 1.21.0. Authors: - h00die - Matei "Mal" Badanoiu

More information

CVE-2023-20887

VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are vulnerable. This module exploits the vulnerability to upload and execute payloads gaining root privileges. Successfully tested against version 6.8.0. Authors: - Sina Kheirkhah - Anonymous with Trend Micro Zero Day Initiative - h00die

More information

CVE-2023-34960

Chamilo is an e-learning platform, also called Learning Management Systems (LMS). This module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions `1.11.18` and below (CVE-2023-34960). Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint `/main/webservices/additional_webservices.php`. Authors: - h00die-gr3y <[email protected]> - Randorisec

More information

CVE-2023-2068

Authors: - h00die-gr3y <[email protected]> - Mateus Machado Tesser

More information

CVE-2023-34362

Authors: - sfewer-r7 - rbowes-r7 - bwatters-r7

More information

CVE-2023-32315

Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This module will use the vulnerability to create a new admin user that will be used to upload a Openfire management plugin weaponised with java native payload that triggers an RCE. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the first version on the 4.8 branch,

More information

CVE-2023-33246

RocketMQ versions 5.1.0 and below are vulnerable to Arbitrary Code Injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. Authors: - Malayke - jheysel-r7 - h00die

More information

CVE-2023-2825

GitLab version 16.0 contains a directory traversal for arbitrary file read as the `gitlab-www` user. This module requires authentication for exploitation. In order to use this module, a user must be able to create a project and groups. When exploiting this vulnerability, there is a direct correlation between the traversal depth, and the depth of groups the vulnerable project is in. The minimum for this seems to be 5, but up to 11 have also been observed. An example of this, is if the directory traversal needs a depth of 11, a group and 10 nested child groups, each a sub of the previous, will be created (adding up to 11). Visually this looks like: Group1->sub1->sub2->sub3->sub4->sub5->sub6->sub7->sub8->sub9->sub10. If the depth was 5, a group and 4 nested child groups would be created. With all these requirements satisfied a dummy file is uploaded, and the full

More information