This module chains two vulnerabilities in n8n to achieve unauthenticated remote code execution. The module abuses a vulnerable unauthenticated form endpoint to read local files from the target system. That file read primitive is then used to recover the n8n home path, configuration data, and encryption key material. The module then reads the n8n SQLite database to extract administrator account data from the application datastore. With that information, it forges an authenticated administrator token and creates a malicious workflow through the n8n API. Finally, the crafted workflow is used to execute operating system commands and deploy an agent on the target. The deployed agent will run with the privileges of the n8n service account.
This vulnerability involves the improper neutralization of special elements used in a command ('command injection') in Windows MSHTML, allowing an unauthorized attacker to execute a crafted DLL file located in a shared folder and bypass Mark of the Web. The steps performed by the exploit are: Creates a DLL containing an Impact agent and places it in an SMB file share. It also creates an .lnk file for direct access. Using the provided link, download the .lnk file in the browser. Because some browsers may change the .lnk extension, you can set ATTACH_FILE_NAME to end with .zip to send the .lnk inside a ZIP file. If necessary, unzip the file and run the .lnk file. Alternatively, run the .lnk directly from the SMB share using the direct link. If the target can access the SMB share on the Impact machine, the agent will be deployed without Mark of the Web or popup warnings.
rtsold passes unvalidated domain search list options from router advertisement messages directly to the resolvconf shell script, which fails to properly quote its input. This allows an attacker on the local network to inject arbitrary shell commands that are executed with root privileges when the vulnerable system processes a malicious router advertisement. The deployed network agent will run with root privileges. The exploit performs the following steps: Builds the Ethernet envelope to ensure the data travels without OS restrictions. Generates a fake Router Advertisement message to trick the victim into thinking the attacker is a legitimate gateway. Calculates a checksum so the target's kernel accepts the packet as valid. Hides malicious commands inside DNS configuration options using a specific format that triggers execution on FreeBSD.
The vulnerability exists in the WebObjects request handling mechanism where improper validation of the badparam parameter allows attackers to bypass authentication controls. The exploit performs the following steps: Connects to SolarWinds Web Help Desk and retrieves initial session cookies. Searches through headers, cookies, and HTML for the WebObjects session identifier. Accesses a special route with manipulated 'badparam' parameters to test the bypass. Exploits the improperly validated 'badparam' parameter to bypass login and obtain admin session. Creates a persistent URL that allows direct unauthorized access to the administrative panel.
This module exploits an unauthenticated arbitrary file upload in SmarterMail. The vulnerability consists of the arbitrary uploading of a non-binary file (asp, html, txt, etc.) to any location on the target machine without user authentication. However, the SmarterMail server listening on port 9998 (SYSTEM) simply uploads the file but cannot execute ASPX files. Furthermore, if the IIS server on port 80 is active, the file can be written to the root directory of that server and executed through it, with the permissions of the IIS user (a High Integrity Level user). The exploit first verifies that the target SmarterMail service is active and listening on its default administrative port, TCP/9998. It crafts a specially formed multipart/form-data POST request containing a malicious ASPX web shell. The request exploits an improper input validation vulnerability to perform directory path traversal (e.g., using sequences like ../../../). This bypasses the intended upload directory restrictions, allowing the file to be written to critical locations such as: 1)The SmarterMail web root (e.g., /interface/app/authentication/) 2)The root directory of the IIS web server hosting the application. After a successful upload, the script verifies the shell's deployment by sending an HTTP GET request to access the uploaded .aspx file. Primary access is attempted via the SmarterMail service on port 9998. A second check is performed via the standard IIS web service on port 80 (if listening). The web shell is designed to execute operating system commands passed via HTTP query parameters and return the command output within the HTTP response. As a demonstration of post-exploitation capabilities, If port 80 is listening can optionally deploy a Core Impact agent fileless HTA.
An authorization bypass vulnerability exists in the AsIO3.sys functionality of Asus Armoury Crate. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit to elevate privileges are: Leak the address of the current thread Leak the address of the current process token Leak the address of the SYSTEM process token Trigger the vulnerability to bypass the authorization Abuse the driver to overwrite PreviousMode Replace the current process token with the SYSTEM token Restore original PreviousMode value
This module uses an authenticated OS command injection vulnerability in Fortinet FortiWeb to deploy a python agent. First, the module will login in the target application using the given credentials. If no credentials are supplied, the module will attempt to create a new user with administrative privileges (prof_admin) in the target system using random credentials via CVE-2025-64446 vulnerability. If authentication succeeds, the module will save the new user credentials as an identity in Impact. Next, the module will retrieve the target system version via the /api/v2.0/system/state endpoint. The version will be used to select the attack payload. Then, the module will switch to websockets usage via the /ws/cli/open endpoint to access the CLI. Finally, it will send CLI commands to create a new SAML configuration with the OS commands to deploy a python agent. The deployed python agent will run with root user privileges.
MongoDB Server is vulnerable to a memory disclosure flaw due to improper validation of length parameters in Zlib-compressed protocol headers. This vulnerability allows unauthenticated remote attackers to read sensitive information from server memory. This module will check if the target machine is vulnerable and it will try to dump memory contents to the Module Log window and also writes them in a file. This memory dump may contain sensitive data, as explained above. This module performs the following steps: Establishes TCP connection to the target MongoDB server on port 27017. Sends crafted malicious packets containing BSON documents with intentionally inflated length values, Zlib-compressed OP_MSG messages wrapped in OP_COMPRESSED headers and a crafted Buffer size. Iterates through document lengths. Extracts and collects leaked memory from server error responses. Show collected memory leaks in the module output, and save it to disk (if output folder specified) for further analysis.
Subscribe to Exploits