This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2023-27997. The detection of the vulnerability is probabilistic. The module does ~400 requests trigguering the heap overflow in a special way that it doesn't corrupt anything used in memory and another ~400 requests without doing the overflow. Then it calculates the mean of each group and does a Welch's T-Test. It could be the case that the result of the test is not reliable. In that case, the module is going to repeat the process. Therefore the module could need several minutes 10min, in order to have a good result.
This module connects to a remote target via any exposed DCE RPC endpoints and fingerprints them to determine if the machine appears to be compromised by the Conficker worm. The module is able to detect B, C and D variants of the worm.
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2023-20198 based on the inspection of the target's response. If the target is vulnerable, the module will create a new local administrator user in the target system using the provided credentials. Also, the new credentials will be added as an identity.
An insufficient input validation leading to memory overread in Citrix NetScaler ADC and Citrix NetScaler Gateway when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server may allow unauthenticated remote attackers to exfiltrate cookies, session IDs, or passwords from the target application. The vulnerability is reached via the /p/u/doAuthentication.do endpoint. This module will attempt to trigger the vulnerability to determine if the target system is vulnerable.
This vulnerability enables unauthenticated attackers to bypass authentication in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vulnerability stems from how the CrushAuth cookie and AWS4-style Authorization header are processed, allowing attackers to impersonate an administrator by crafting specific values using a valid username. A valid username is required for the attack to succeed, but no password is needed. By default, CrushFTP includes a built-in administrative user named crushadmin. This user is automatically suggested during the initial setup, but administrators may choose a different name. The exploit will only succeed if the username provided exists on the system. Successful exploitation provides full administrative access to the CrushFTP WebInterface. This exploit performs the following steps: 1. Authentication Bypass - Sends a request to the 'getUserList' endpoint (typically at /WebInterface/function/) using a crafted 'CrushAuth' cookie and 'Authorization' header. - If the server returns the list of users, the target is confirmed vulnerable. 2. User Enumeration - Parses the XML response to extract usernames and displays them in the module output. 3. Optional User Creation - If parameters new_username and new_userpass are provided, a new user is created via the setUserItem endpoint.
This module exploits an issue in GitLab CE/EE that allows sending reset emails to an unverified email address. In order to takeover the account, the module will exploit the vulnerability adding the attacker's email to the JSON from /users/password endpoint, then it will connect via IMAP to the attacker's email, parse the reset email and change the password.
A SQL injection vulnerability in Fortra FileCatalyst Workflow versions 5.1.6 build 135 and earlier allows remote attackers, including anonymous ones, to exploit a SQL injection via the JOBID parameter. This could lead to unauthorized SQL commands execution such as table deletion or admin user creation. This module without authentication creates an administrative user, proceeds to authenticate with this newly created user to assess if the system is vulnerable. This module does not install an agent but instead creates an administrator user for FileCatalyst.s
Subscribe to Remote