Metasploit modules

  • LG Simple Editor Remote Code Execution
    Disclosure Date : 2023-08-24
    This Metasploit module exploits broken access control and directory traversal vulnerabilities in LG Simple Editor software for gaining code execution. The vulnerabilities exist in versions of LG Simple Editor prior to v3.21. By exploiting this flaw, an attacker can upload and execute a malicious JSP payload with the SYSTEM user permissions.
  • WinRAR CVE-2023-38831 Exploit
    Disclosure Date : 2023-08-23
    This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution. Authors: - Alexander "xaitax" Hagenah
  • Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)
    Disclosure Date : 2023-08-21
    This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user. Authors: - Zach Hanley - James Horseman - jheysel-r7
  • Ivanti Avalanche MDM Buffer Overflow
    Disclosure Date : 2023-08-14
    This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1. An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions. This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types. The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack. Upon successful exploitation the attacker gains full access to the target system. This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10. Authors: - Ege BALCI egebalci <Ege BALCI [email protected]> - A researcher at Tenable
  • RaspAP Unauthenticated Command Injection
    Disclosure Date : 2023-07-31
    RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Successfully tested against RaspAP 2.8.0 and 2.8.7. Authors: - Ege BALCI <[email protected]> - Ismael0x00
  • Maltrail Unauthenticated Command Injection
    Disclosure Date : 2023-07-31
    Maltrail is a malicious traffic detection system, utilizing publicly available blacklists containing malicious and/or generally suspicious trails. The Maltrail versions < 0.54 is suffering from a command injection vulnerability. The `subprocess.check_output` function in `mailtrail/core/` contains a command injection vulnerability in the `params.get("username")` parameter. An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication. Successfully tested against Maltrail versions 0.52 and 0.53. Authors: - Ege BALCI <[email protected]> - Chris Wild
  • Greenshot .NET Deserialization Fileformat Exploit
    Disclosure Date : 2023-07-26
    There exists a .NET deserialization vulnerability in Greenshot version 1.3.274 and below. The deserialization allows the execution of commands when a user opens a Greenshot file. The commands execute under the same permissions as the Greenshot service. Typically, is the logged in user. Authors: - p4r4bellum - bwatters-r7
  • Metabase Setup Token RCE
    Disclosure Date : 2023-07-22
    Metabase versions before contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6. Authors: - h00die - Maxwell Garrett - Shubham Shah
  • Citrix ADC (NetScaler) Forms SSO Target RCE
    Disclosure Date : 2023-07-18
    A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root. Authors: - Ron Bowes - Douglass McKee - Spencer McIntyre - rwincey
  • Sonicwall
    Disclosure Date : 2023-07-12
    This module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions <= 9.9.9320. Authors: - fulmetalpackets <fulmetalpa[email protected]> - Ron Bowes <[email protected]>
  • OpenTSDB 2.4.1 unauthenticated command injection
    Disclosure Date : 2023-07-01
    This module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.1 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the key parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.4.1. Authors: - Gal Goldstein - Daniel Abeles - Erik Wynter
  • Rudder Server SQLI Remote Code Execution
    Disclosure Date : 2023-06-16
    This Metasploit module exploits a SQL injection vulnerability in RudderStack's rudder-server, an open source Customer Data Platform (CDP). The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1. By exploiting this flaw, an attacker can execute arbitrary SQL commands, which may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgreSQL having superuser permissions by default.
  • Apache NiFi H2 Connection String Remote Code Execution
    Disclosure Date : 2023-06-12
    The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells (5-7). Successfully tested against Apache nifi 1.17.0 through 1.21.0. Authors: - h00die - Matei "Mal" Badanoiu
  • VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
    Disclosure Date : 2023-06-07
    VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are vulnerable. This module exploits the vulnerability to upload and execute payloads gaining root privileges. Successfully tested against version 6.8.0. Authors: - Sina Kheirkhah - Anonymous with Trend Micro Zero Day Initiative - h00die
  • Chamilo unauthenticated command injection in PowerPoint upload
    Disclosure Date : 2023-06-01
    Chamilo is an e-learning platform, also called Learning Management Systems (LMS). This module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions `1.11.18` and below (CVE-2023-34960). Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint `/main/webservices/additional_webservices.php`. Authors: - h00die-gr3y <[email protected]> - Randorisec
  • Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode
    Disclosure Date : 2023-05-31
    Authors: - h00die-gr3y <[email protected]> - Mateus Machado Tesser
  • MOVEit SQL Injection vulnerability
    Disclosure Date : 2023-05-31
    Authors: - sfewer-r7 - rbowes-r7 - bwatters-r7
  • Openfire authentication bypass with RCE plugin
    Disclosure Date : 2023-05-26
    Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This module will use the vulnerability to create a new admin user that will be used to upload a Openfire management plugin weaponised with java native payload that triggers an RCE. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the first version on the 4.8 branch,
  • Apache RocketMQ update config RCE
    Disclosure Date : 2023-05-23
    RocketMQ versions 5.1.0 and below are vulnerable to Arbitrary Code Injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. Authors: - Malayke - jheysel-r7 - h00die
  • GitLab Authenticated File Read
    Disclosure Date : 2023-05-23
    GitLab version 16.0 contains a directory traversal for arbitrary file read as the `gitlab-www` user. This module requires authentication for exploitation. In order to use this module, a user must be able to create a project and groups. When exploiting this vulnerability, there is a direct correlation between the traversal depth, and the depth of groups the vulnerable project is in. The minimum for this seems to be 5, but up to 11 have also been observed. An example of this, is if the directory traversal needs a depth of 11, a group and 10 nested child groups, each a sub of the previous, will be created (adding up to 11). Visually this looks like: Group1->sub1->sub2->sub3->sub4->sub5->sub6->sub7->sub8->sub9->sub10. If the depth was 5, a group and 4 nested child groups would be created. With all these requirements satisfied a dummy file is uploaded, and the full
Please note: Metasploit modules are only matched by CVE numbers. There may be other relevant modules. Visit metasploit web site for more details
This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy.
By using this web site you are agreeing to terms of use!