This module uses an authentication bypass vulnerability in telnetd to deploy a network agent. The module will bypass authentication by adding the "-f root" value to the USER environment variable in a telnet connection. The deployed network agent will run with root user privileges.

This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.

This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.

This module chains 2 vulnerabilities to deploy an agent in Progress Telerik Report Server that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in Telerik.ReportServer.Web.Controllers.StartupController.Register class. The second vulnerability a .NET deserialization vulnerability in Telerik.Reporting.XmlSerialization.XmlSerializer class. This module will use first vulnerability to create a random user with "System Administrator" role against the "/Startup/Register" endpoint and then login into the application. Then, a report with our payload will be uploaded via the "/api/reportserver/report" endpoint. Finally, the second vulnerability will be used to deploy an agent using the "/api/reports/clients" and "/api/reports/clients/clientID/parameters" endpoints. The deployed agent will run with the privileges of the "w3wp" process (TelerikReportServer instance - NT AUTHORITY\\SYSTEM).

This module chains 2 vulnerabilities to deploy an agent in Progress Telerik Report Server that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in Telerik.ReportServer.Web.Controllers.StartupController.Register class. The second vulnerability a .NET deserialization vulnerability in Telerik.Reporting.XmlSerialization.XmlSerializer class. This module will use first vulnerability to create a random user with "System Administrator" role against the "/Startup/Register" endpoint and then login into the application. Then, a report with our payload will be uploaded via the "/api/reportserver/report" endpoint. Finally, the second vulnerability will be used to deploy an agent using the "/api/reports/clients" and "/api/reports/clients/clientID/parameters" endpoints. The deployed agent will run with the privileges of the "w3wp" process (TelerikReportServer instance - NT AUTHORITY\\SYSTEM).

This module exploits an OS Command Injection to deploy an agent in Jetbrains TeamCity. The vulnerability is in the handleRequestInternal method of the BaseController class which allows bypass of authentication in HTTP requests with a path that return a 404 response and that contain an HTTP parameter named jsp. The path must end with the ".jsp" string and cannot contain the "admin/" string.

This module exploits an OS Command Injection to deploy an agent in Jetbrains TeamCity. The vulnerability is in the handleRequestInternal method of the BaseController class which allows bypass of authentication in HTTP requests with a path that return a 404 response and that contain an HTTP parameter named jsp. The path must end with the ".jsp" string and cannot contain the "admin/" string.

This module first uses hard-coded credentials for the diagnostics user to authenticate in the UCMDB component. Then a java deserialization vulnerability present in several endpoints of the UCMDB service is used to execute commands. The deployed agent will run with the SYSTEM privileges on Windows and root on Linux.

This module uses an authentication bypass and a SQL injection vulnerability in order to upload and execute a JSP file in the Wildfly virtual file system webapps directory. The deployed agent will run with SYSTEM or ROOT privileges.

Tp-link EAP Controller does not handle privilege management correctly so a non privileged user can execute privileged actions. This module will try to change the device's settings and enable ssh in order to take control of the managed Access Points.