rtsold passes unvalidated domain search list options from router advertisement messages directly to the resolvconf shell script, which fails to properly quote its input. This allows an attacker on the local network to inject arbitrary shell commands that are executed with root privileges when the vulnerable system processes a malicious router advertisement. The deployed network agent will run with root privileges. The exploit performs the following steps: Builds the Ethernet envelope to ensure the data travels without OS restrictions. Generates a fake Router Advertisement message to trick the victim into thinking the attacker is a legitimate gateway. Calculates a checksum so the target's kernel accepts the packet as valid. Hides malicious commands inside DNS configuration options using a specific format that triggers execution on FreeBSD.

The vulnerability exists in the WebObjects request handling mechanism where improper validation of the badparam parameter allows attackers to bypass authentication controls. The exploit performs the following steps: Connects to SolarWinds Web Help Desk and retrieves initial session cookies. Searches through headers, cookies, and HTML for the WebObjects session identifier. Accesses a special route with manipulated 'badparam' parameters to test the bypass. Exploits the improperly validated 'badparam' parameter to bypass login and obtain admin session. Creates a persistent URL that allows direct unauthorized access to the administrative panel.

This module exploits an unauthenticated arbitrary file upload in SmarterMail. The vulnerability consists of the arbitrary uploading of a non-binary file (asp, html, txt, etc.) to any location on the target machine without user authentication. However, the SmarterMail server listening on port 9998 (SYSTEM) simply uploads the file but cannot execute ASPX files. Furthermore, if the IIS server on port 80 is active, the file can be written to the root directory of that server and executed through it, with the permissions of the IIS user (a High Integrity Level user). The exploit first verifies that the target SmarterMail service is active and listening on its default administrative port, TCP/9998. It crafts a specially formed multipart/form-data POST request containing a malicious ASPX web shell. The request exploits an improper input validation vulnerability to perform directory path traversal (e.g., using sequences like ../../../). This bypasses the intended upload directory restrictions, allowing the file to be written to critical locations such as: 1)The SmarterMail web root (e.g., /interface/app/authentication/) 2)The root directory of the IIS web server hosting the application. After a successful upload, the script verifies the shell's deployment by sending an HTTP GET request to access the uploaded .aspx file. Primary access is attempted via the SmarterMail service on port 9998. A second check is performed via the standard IIS web service on port 80 (if listening). The web shell is designed to execute operating system commands passed via HTTP query parameters and return the command output within the HTTP response. As a demonstration of post-exploitation capabilities, If port 80 is listening can optionally deploy a Core Impact agent fileless HTA.

MongoDB Server is vulnerable to a memory disclosure flaw due to improper validation of length parameters in Zlib-compressed protocol headers. This vulnerability allows unauthenticated remote attackers to read sensitive information from server memory. This module will check if the target machine is vulnerable and it will try to dump memory contents to the Module Log window and also writes them in a file. This memory dump may contain sensitive data, as explained above. This module performs the following steps: Establishes TCP connection to the target MongoDB server on port 27017. Sends crafted malicious packets containing BSON documents with intentionally inflated length values, Zlib-compressed OP_MSG messages wrapped in OP_COMPRESSED headers and a crafted Buffer size. Iterates through document lengths. Extracts and collects leaked memory from server error responses. Show collected memory leaks in the module output, and save it to disk (if output folder specified) for further analysis.

This module exploits an access control issue in Windows SMB clients to deploy a remote agent with SYSTEM privileges through a multi-stage attack chain: 1. DNS Injection: Adds a malicious DNS record 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' via LDAP to the domain controller, pointing to the attacker's IP address. 2. NTLM Relay: Starts an ntlmrelayx server that waits for SMB authentication attempts and relays them to install an agent with SYSTEM privileges on the target system. 3. RPC Coercion: Forces the victim system to authenticate to the attacker-controlled DNS name using coercion techniques. Domain credentials from a regular user are required. The deployed agent gains SYSTEM privileges, allowing complete control of the compromised system. Affected versions: Windows 10 - 21H2 with os build less than 19044.5965 Windows 10 - 22H2 with os build less than 19045.5965 Windows 11 - 22H2 with os build less than 22621.5472 Windows 11 - 23H2 with os build less than 22631.5472 Windows 11 - 24H2 with os build less than 26100.4349 Windows Server 2019 with os build less than 17763.7434 Windows Server 2022 with os build less than 20348.3807

This module exploits an authentication bypass vulnerability combined and a buffer overflow in Cisco Secure ASA to cause a denial of service effect. First, the module will check if the target is vulnerable to the authentication bypass. If the target is vulnerable, it will proceed to cause the denial of service.

This module uses an authentication bypass vulnerability via a race condition in AS2 validation in CrushFTP to create a new administrative user in the target application. If the credentials for the new administrative user are not provided, the module will generate random ones. If the exploitation succeeds the credentials will be checked against the target. Also, if the module created random credentials for the attack, a new identity with these credentials will be created. Since this modules uses a race condition to exploit the vulnerability, the MAX_TRIES parameter can be used to limit the amount of requests that will be sent to the target system.

A memory corruption vulnerability in the Windows IPv6 stack allows remote Denial of Service via maliciously crafted IPv6 Fragment Header packets. Exploitation requires no authentication or user interaction. Attackers need only send specially designed packets to vulnerable hosts. Impacts all Windows versions with IPv6 enabled (default since Windows 10). This exploit performs the following steps: Obtains the data needed to launch the attack, such as local device ID and target MAC address. sets the IPv6 headers. Builds specially crafted packets affecting the IPv6 stack (tcpip.sys driver) Sends packets to the target causing a denial of service. Check if the remote machine is down due to Blue Screen of Death (BSOD)

This module triggers a denial-of-service flaw in the Windows Local Session Manager (LSM). It was found to exist in Windows 11 but not in Windows 10. The vulnerability allows an authenticated, low-privileged user to crash the LSM service by making a simple Remote Procedure Call (RPC) to the RpcGetSessionIds function. The impact of this vulnerability is significant, as a crash of the LSM service can prevent users from logging in or out and affects services that depend on LSM, such as Remote Desktop Protocol (RDP) and Microsoft Defender. The vulnerability can be exploited remotely by an authenticated user with low privileges, especially on a domain controller.

An attacker can exploit this vulnerability to run remote commands on the target, achieving code execution. The vulnerability stems from how the WingFTP server usernames are processed, allowing attackers to execute arbitrary commands. When the server does not allow anonymous access, successful exploitation of this vulnerability requires valid user credentials (username and password). This exploit performs the following steps: Sends a POST request to loginok.html with the malicious command in the username field. Extracts the session cookie (UID). The server responds with a UID cookie in Set-Cookie. Uses the extracted UID cookie to access dir.html. Requests and execute the necessary files to install an agent.