This module uses an insecure deserialization vulnerability in React Server Components to deploy an agent. The module will first check if the target is vulnerable by using the given endpoint with a generic payload. If the target is vulnerable, an OSCI agent will be deployed and the vulnerability will be used again, with a payload that will deploy an in-memory webshell. This webshell can be used later by the OSCI agent to execute OS commands or deploy a network agent. The deployed agent will run with the same privileges of the webapp.
This module exploits an access control issue in Windows SMB clients to deploy a remote agent with SYSTEM privileges through a multi-stage attack chain: 1. DNS Injection: Adds a malicious DNS record 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' via LDAP to the domain controller, pointing to the attacker's IP address 2. NTLM Relay: Starts an ntlmrelayx server that waits for SMB authentication attempts and relays them to install an agent with SYSTEM privileges on the target system. 3. RPC Coercion: Forces the victim system to authenticate to the attacker-controlled DNS name using coercion techniques.
Cisco Secure ASA contains an improper validation of user-supplied input in HTTP(S) requests that allows an unauthenticated remote attacker to access restricted URL endpoints that are related to remote access VPN. Combined with a buffer overflow in the files_action.lua LUA script, these vulnerabilities may allow unauthenticated remote attackers to execute arbitrary code as root or cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions.
A memory corruption vulnerability in the Windows IPv6 stack allows remote Denial of Service via maliciously crafted IPv6 Fragment Header packets, leading to kernel-level compromise. Exploitation requires no authentication or user interaction-attackers need only send specially designed packets to vulnerable hosts. Impacts all Windows versions with IPv6 enabled (default since Windows 10).
Wing FTP Server version 7.4.3 and prior is prone to a remote code execution due to improper handling of null bytes in both the user and admin web interfaces. This flaw allows attackers to execute arbitrary Lua command into session files, which is executed by the server with the privileges of the FTP service.
This module exploits an authentication bypass vulnerability in the CrushFTP WebInterface. Versions affected include 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vulnerability allows an unauthenticated attacker to bypass login by crafting a forged CrushAuth cookie and abusing the Authorization header. If a valid username is known (e.g., crushadmin), the attacker can: Retrieve a full list of users via getUserList.
Subscribe to Remote