This module exploits a Server-Side Request Forgery via the getUiType parameter in the /OA_HTML/configurator/UiServlet endpoint of Oracle E-Business Suite to deploy an agent. First, the module will register an endpoint in the local webserver that will be used in the attack to send a xsl file to the target that will execute system commands to deploy the agent. Then, it will retrieve a required CSRF token via the /OA_HTML/runforms.jsp and /OA_HTML/JavaScriptServlet endpoints. Finally, it will use the Server-Side Request Forgery vulnerability combined with a Carriage Return/Line Feed (CRLF) injection to smuggle a request to the /OA_HTML/help/../ieshostedsurvey.jsp endpoint that will trigger a GET HTTP request to the local webserver, which will, in turn, deliver the xsl file that will deploy the agent. The deployed agent will run with the oracle user account privileges.
This module exploits an OS Command Injection present in the getCASURL perl function of Dell Unity to deploy an agent. The module will trigger the vulnerability by embedding the system commands to deploy the agent in a request to the /misc endpoint. Spaces in the system command will be replaced with the ${IFS} shell variable. The deployed agent will run with the apache user account privileges.
The Application Identity Service module (appid.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary code execution. This module allows a local unprivileged user running as "LOCAL SERVICE" to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Leak the address of the current thread Leak the address of the current process token Leak the address of the SYSTEM process token Leak the address of the ExpProfileDelete kernel function Trigger the vulnerability to overwrite PreviousMode Replace the current process token with the SYSTEM token Restore original PreviousMode value
This module uses an authentication bypass vulnerability via a race condition in AS2 validation in CrushFTP to create a new administrative user in the target application. If the credentials for the new administrative user are not provided, the module will generate random ones. If the exploitation succeeds the credentials will be checked against the target. Also, if the module created random credentials for the attack, a new identity with these credentials will be created. Since this modules uses a race condition to exploit the vulnerability, the MAX_TRIES parameter can be used to limit the amount of requests that will be sent to the target system.
This module uses an authenticated OS command injection vulnerability to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The vulnerability is present in the saveSvcConfig method of the com.progress.ubroker.tools.AbstractGuiPluginRemObj java class. The vulnerable class can be reached by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. This module may also abuse CVE-2024-1403: an authentication bypass vulnerability that allow access to the adminServer classes. This module will perform the following steps: If no username and password are provided, the module will use the CVE-2024-1403 vulnerability to authenticate against the target application as the NT AUTHORITY/SYSTEM user. If a username and password are provided, then those credentials will be used for authentication. Once authenticated, it will create an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. Then, it will use the getPlugins method of the previous class to obtain a list of the interfaces exposed by the com.progress.ubroker.tools.NSRemoteObject plugin. Then, use the getRemoteManageObject method of the com.progress.ubroker.tools.NSRemoteObject class via the com.progress.ubroker.tools.IYodaSharedResources interface to create an instance of an object compatible with the com.progress.ubroker.tools.IYodaRMI interface. Then, use the doRemoteToolCmd method via the com.progress.ubroker.tools.IYodaRMI interface to add a payload to deploy an agent inside the Progress\\OpenEdge\\properties\\ubroker.properties file. An entry to an application *service* will be added. Finally, it will use again the doRemoteToolCmd method to start a process that will use the parameters added in the previous step. All requests to target will be made using Java RMI requests
This module exploits a high-severity vulnerability in Windows File Explorer. The exploit works by creating a specially crafted .lnk (shortcut) file that, when placed in a folder viewed by a victim, forces the system to automatically connect to an attacker-controlled SMB server. This connection happens without any user interaction and results in the victim's NTLM hash being sent to the attacker. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.
A vulnerability in the update service of Microsoft Windows Disk Cleanup Tool could allow an authenticated local attacker, to execute a crafted dll with SYSTEM user privileges. The steps performed by the exploit are: First It creates 3 folders: C:\$Windows.~WS, C:\ESD\Windows, C:\ESD\Download, inserts dummy .txt files and pauses. Create a thread to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi. Create a second thread to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\ESD\Windows to C:/Config.msi. It creates a task named SilentCleanup to trigger content cleanup and delete Config.msi. After deletion it creates a third thread to run second stage of FolderOrFileDeleteToSystem to drop HID.dll. Run osk.exe, then in another thread run mmc.exe.
An attacker can exploit this vulnerability to run remote commands on the target, achieving code execution. The vulnerability stems from how the WingFTP server usernames are processed, allowing attackers to execute arbitrary commands. When the server does not allow anonymous access, successful exploitation of this vulnerability requires valid user credentials (username and password). This exploit performs the following steps: Sends a POST request to loginok.html with the malicious command in the username field. Extracts the session cookie (UID). The server responds with a UID cookie in Set-Cookie. Uses the extracted UID cookie to access dir.html. Requests and execute the necessary files to install an agent.
A critical vulnerability (CVE-2025-32463) was discovered in Sudo versions 1.9.14 through 1.9.17. The vulnerability allows local users to obtain root access by exploiting the --chroot option, where /etc/nsswitch.conf from a user-controlled directory is used. This exploit creates a temporary directory structure that mimics a normal root environment, uploads a malicious /etc/nsswitch.conf which in turn calls a shared object that escalates privileges, the exploit is triggered when executing sudo with the -R flag pointing to the user controlled directory.
Subscribe to Exploits