WSO2 API Manager Documentation File Upload Remote Code Execution

A vulnerability in the 'Add API Documentation' feature allows malicious users with specific permissions /permission/admin/login and /permission/admin/manage/api/publish to upload arbitrary files to a user-controlled server location. This flaw could be exploited to execute remote code, enabling an...

Chamilo v1.11.24 Unrestricted File Upload PHP Webshell

Chamilo LMS is a free software e-learning and content management system. In versions prior to use exploit/linux/http/chamilobiguploadwebshell msf exploitchamilobiguploadwebshell show targets ...targets... msf exploitchamilobiguploadwebshell set TARGET msf exploitchamilobiguploadwebshell show...

Metasploit Weekly Wrap-Up 11/22/2024

JetBrains TeamCity Login Scanner Metasploit added a login scanner for the TeamCity application to enable users to check for weak credentials. TeamCity has been the subject of multiple ETR vulnerabilities and is a valuable target for attackers. Targeted DCSync added to Windows Secrets Dump This...

ProjectSend R1605 Unauthenticated Remote Code Execution

class MetasploitModule 'ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution', 'Description' = %q This module exploits an improper authorization vulnerability in ProjectSend versions r1295 through r1605. The vulnerability allows an unauthenticated attacker to obtain remote code executi...

ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution

This module exploits an improper authorization vulnerability in ProjectSend versions r1295 through r1605. The vulnerability allows an unauthenticated attacker to obtain remote code execution by enabling user registration, disabling the whitelist of allowed file extensions, and uploading a malicio...

Judge0 sandbox escape

Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. Module Options msf use exploit/linux/http/judge0sandboxescapecve202428189 msf...

Strapi CMS Unauthenticated Password Reset

This module abuses the mishandling of a password reset request for Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user. Successfully tested against Strapi CMS version 3.0.0-beta.17.4. Module Options msf use auxiliary/scanner/http/strapi3passwordreset msf...

Ivanti EPM Agent Portal Command Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/proto/msnrtp/client' class MetasploitModule 'Ivanti EPM Agent Portal Command Execution', 'Description' = %q This module leverages an unauthenticated RCE in...

Judge0 Sandbox Escape

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Judge0 sandbox escape', 'Description' = %q Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an...

Ivanti EPM Agent Portal Command Execution Exploit

This Metasploit module leverages an unauthenticated remote command execution vulnerability in Ivanti's EPM Agent Portal where an RPC client can invoke a method which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior ...

Judge0 Sandbox Escape Exploit

Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. This module requires Metasploit: https://metasploit.com/download Current source:...

Pyload Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/stopwatch' class MetasploitModule 'Pyload RCE CVE-2024-39205 with js2py sandbox escape CVE-2024-28397', 'Description' = %q CVE-2024-28397 is sandbox escape ...

Metasploit Weekly Wrap-Up: 11/15/2024

Palo Alto Expedition RCE module This week's release includes an exploit module for the Palo Alto Expedition exploit chain that's been making headlines recently. The first vulnerability, CVE-2024-5910, allows attackers to reset the password of the admin user. The second vulnerability, CVE-2024-946...

JetBrains TeamCity Login Scanner

This module performs login attempts against a JetBrains TeamCity webpage to bruteforce possible credentials. Module Options msf use auxiliary/scanner/teamcity/teamcitylogin msf auxiliaryteamcitylogin show actions ...actions... msf auxiliaryteamcitylogin set ACTION msf auxiliaryteamcitylogin show...

Palo Alto Expedition 1.2.91 Remote Code Execution Exploit

This Metasploit module lets you obtain remote code execution in Palo Alto Expedition versions 1.2.91 and below. The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a defau...

Metasploit Wrap-Up: 11/08/2024

RISC-V Support This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more...

ESC8 Relay: SMB to HTTP(S)

This module creates an SMB server and then relays the credentials passed to it to an HTTP server to gain an authenticated connection. Once that connection is established, the module makes an authenticated request for a certificate based on a given template. Module Options msf use...

Linux Reboot

A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/linux/riscv64le/reboot msf payloadreboot show actions ...actions... msf payloadreboot set ACTION msf...

Linux Reboot

A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/linux/riscv32le/reboot msf payloadreboot show actions ...actions... msf payloadreboot set ACTION msf...

Linux Execute Command

Execute an arbitrary command Module Options msf use payload/linux/riscv32le/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit: https://metasploit.com/download Curre...