The vulnerability allows an attacker to include arbitrary files from a remote server.
There currently exists a general advisory for the CVE with a description of exploitation and how to reproduce, but without full exploit code. I have developed a working, reliable standalone Python exploit that can be successfully used by modifying only the target IP address. Attached to this email submission is the working exploit code.
This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API. It uses the function CreateSubmissionRequest to submit a malicious java class and trigger it.
This module exploits a stack based buffer overflow in HTML5 Video Player 1.2.5, when with the name 'msf.txt'. 1.file with the name 'msf.txt' and copy content to clipboard ,2.Open software, click Help > Register and paste 'Username' click 'OK'.
This vulnerability allows an attacker to disclose sensitive files on the target system by exploiting the file disclosure vulnerability in ISPworker 1.21. By sending a specially crafted request to the /module/ticket/download.php endpoint with a manipulated ticketid or filename parameter, an attacker can traverse the directory structure and access files outside the intended scope. This can lead to the disclosure of sensitive information, such as the contents of the /etc/passwd file.
This is a local exploit against the CVE-2017-7558 vulnerability in Linux Kernel 4.8 (Ubuntu 16.04). It allows an attacker to leak the kernel symbol address of 'sctp_af_inet'.
This module allows remote code execution on TeamCity Agents configured to use bidirectional communication via xml-rpc. In bidirectional mode the TeamCity server pushes build commands to the Build Agents over port TCP/9090 without requiring authentication. Up until version 10 this was the default configuration. This module supports TeamCity agents from version 6.0 onwards.
This module exploits a vulnerablity in libxpc on macOS <= 10.13.3 The task_set_special_port API allows callers to overwrite their bootstrap port, which is used to communicate with launchd. This port is inherited across forks: child processes will use the same bootstrap port as the parent. By overwriting the bootstrap port and forking a child processes, we can now gain a MitM position between our child and launchd. To gain root we target the sudo binary and intercept its communication with opendirectoryd, which is used by sudo to verify credentials. We modify the replies from opendirectoryd to make it look like our password was valid.
This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package).
The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.
Services By CQR