This module exploits two vulnerabilities affecting Unraid 6.8.0. An authentication bypass is used to gain access to the administrative interface, and an insecure use of the extract PHP function can be abused for arbitrary code execution as root.
This exploit allows an attacker to bypass ASLR and SEH protections in Nsauditor version 3.2.1.0 and 3.0.28.0. By sending a specially crafted DNS query, an attacker can trigger a buffer overflow vulnerability and overwrite three bytes of memory. The exploit includes a customizable shellcode that can be used to execute arbitrary commands.
This is a public exploit for WebPortal-0.6-beta CMS and possibly lower versions. The exploit allows remote attackers to change passwords of users on the affected system.
The Cisco IP Phone 11.7 is vulnerable to a Denial of Service (DoS) attack. By sending a specially crafted request to the device, an attacker can cause the phone to become unresponsive and stop functioning. This can disrupt communication and potentially impact business operations. The vulnerability has been assigned CVE-2020-3161.
The Easy MPEG to DVD Burner version 1.7.11 is vulnerable to a buffer overflow vulnerability which can be exploited to bypass SEH and DEP protection. The exploit uses the VirtualProtect() function to gain control over the application. The exploit has been tested on Windows 7 Ultimate x64.
This module exploits a vulnerability in Apache Solr <= 8.3.0 which allows remote code execution via a custom Velocity template. Currently, this module only supports Solr basic authentication. An attacker could target a vulnerable Apache Solr instance by first identifying a list of Solr core names. Once the core names have been identified, an attacker can send a specially crafted HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response Writer in the solrconfig.xml file to true. Enabling this parameter would allow an attacker to use the Velocity template parameter in a specially crafted Solr request, leading to RCE.
This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3. The Open VMware USB Arbitrator Service can be launched outside of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home directory in a specific folder, and creating a hard link to the 'Open VMware USB Arbitrator Service' binary, we're able to launch it temporarily to start our payload with an effective UID of 0. @jeffball55 discovered an incomplete patch in 11.5.3 with a TOCTOU race. Successfully tested against 10.1.6, 11.5.1, 11.5.2, and 11.5.3.
This module exploits a preauth Server-Side Template Injection vulnerability in PlaySMS before version 1.4.3, leading to remote code execution. The vulnerability is caused by double processing a server-side template with a custom PHP template system called 'TPL', which is used in the PlaySMS template engine. An attacker can submit a username with a malicious payload, which is stored in a TPL template. When the template is rendered a second time, code execution occurs. The TPL template language is vulnerable to PHP code injection.
This module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software. Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
Multiple persistent cross site vulnerabilities were discovered in the official DedeCMS v5.7 SP2 (UTF8) web-application.
Services By CQR