This module uses an authentication bypass vulnerability in telnetd to deploy a network agent. The module will bypass authentication by adding the "-f root" value to the USER environment variable in a telnet connection. The deployed network agent will run with root user privileges.

This module uses an authenticated OS command injection vulnerability in Fortinet FortiWeb to deploy a python agent. First, the module will login in the target application using the given credentials. If no credentials are supplied, the module will attempt to create a new user with administrative privileges (prof_admin) in the target system using random credentials via CVE-2025-64446 vulnerability. If authentication succeeds, the module will save the new user credentials as an identity in Impact. Next, the module will retrieve the target system version via the /api/v2.0/system/state endpoint. The version will be used to select the attack payload. Then, the module will switch to websockets usage via the /ws/cli/open endpoint to access the CLI. Finally, it will send CLI commands to create a new SAML configuration with the OS commands to deploy a python agent. The deployed python agent will run with root user privileges.

This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.

This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.

This module uses an insecure deserialization vulnerability in React Server Components to deploy an agent. The module will first check if the target is vulnerable by using the given endpoint with a generic payload. If the target is vulnerable, an OSCI agent will be deployed and the vulnerability will be used again, with a payload that will deploy an in-memory webshell. This webshell can be used later by the OSCI agent to execute OS commands or deploy a network agent. The deployed agent will run with the same privileges of the webapp.

This module exploits an OS Command Injection present in the getCASURL perl function of Dell Unity to deploy an agent. The module will trigger the vulnerability by embedding the system commands to deploy the agent in a request to the /misc endpoint. Spaces in the system command will be replaced with the ${IFS} shell variable. The deployed agent will run with the apache user account privileges.

This module exploits a OS Command Injection via ASP.NET markup vulnerability present in the WikiContentWebpart Web Part of Microsoft SharePoint Server to deploy an agent. The deployed agent will run with the SharePoint Server service account privileges.

This module uses an authenticated OS command injection vulnerability to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The vulnerability is present in the saveSvcConfig method of the com.progress.ubroker.tools.AbstractGuiPluginRemObj java class. The vulnerable class can be reached by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. This module may also abuse CVE-2024-1403: an authentication bypass vulnerability that allow access to the adminServer classes. This module will perform the following steps: If no username and password are provided, the module will use the CVE-2024-1403 vulnerability to authenticate against the target application as the NT AUTHORITY/SYSTEM user. If a username and password are provided, then those credentials will be used for authentication. Once authenticated, it will create an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. Then, it will use the getPlugins method of the previous class to obtain a list of the interfaces exposed by the com.progress.ubroker.tools.NSRemoteObject plugin. Then, use the getRemoteManageObject method of the com.progress.ubroker.tools.NSRemoteObject class via the com.progress.ubroker.tools.IYodaSharedResources interface to create an instance of an object compatible with the com.progress.ubroker.tools.IYodaRMI interface. Then, use the doRemoteToolCmd method via the com.progress.ubroker.tools.IYodaRMI interface to add a payload to deploy an agent inside the Progress\\OpenEdge\\properties\\ubroker.properties file. An entry to an application *service* will be added. Finally, it will use again the doRemoteToolCmd method to start a process that will use the parameters added in the previous step. All requests to target will be made using Java RMI requests

This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the /mdm/serverurl endpoint to download the InitAccount.cmd file located in the C:\Program Files\SysAidServer\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line. The module will create a new identity with these credentials. Then, with the main administrator credentials, the module will login in the application and then use the authenticated OS command injection via the /API.jsp endpoint to execute system commands to deploy the agent.

This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the /mdm/serverurl endpoint to download the InitAccount.cmd file located in the C:\Program Files\SysAidServer\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line. The module will create a new identity with these credentials. Then, with the main administrator credentials, the module will login in the application and then use the authenticated OS command injection via the /API.jsp endpoint to execute system commands to deploy the agent.