This module exploits a java deserialization vulnerability present in the CewolfRenderer servlet. Also, this module exploits a blind XXE vulnerability present in the ProcessTrackingListener class.

This module exploits an unauthenticated command injection in multiple API endpoints by supplying NULL bytes to the git command used at this endpoints which allows the passage of extra arguments that lead to OS command injection. Successful exploitation requires access to a public repository. The deployed agent will run with the atlbitbucket user account privileges.

This module exploits an unauthenticated command injection in multiple API endpoints by supplying NULL bytes to the git command used at this endpoints which allows the passage of extra arguments that lead to OS command injection. Successful exploitation requires access to a public repository. The deployed agent will run with the atlbitbucket user account privileges.

This module exploits a default erlang cluster node cookie vulnerability to deploy an agent in Apache CouchDB that will run with couchdb user privileges.

This module chains 3 vulnerabilities to deploy an agent in VMware vRealize Operations Manager that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in com.vmware.vcops.ui.util.MainPortalFilter class. The second vulnerability an information disclosure vulnerability present in com.vmware.vcops.ui.action.SupportLogsAction that allows to read sensitive passwords from log files. The third vulnerability is a local privilege escalation by using the generateSupportBundle.py script with a crafted VCOPS_BASE environment variable. This module will change VMware vRealize Operations Manager admin user password.

This module chains 3 vulnerabilities to deploy an agent in VMware vRealize Operations Manager that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in com.vmware.vcops.ui.util.MainPortalFilter class. The second vulnerability an information disclosure vulnerability present in com.vmware.vcops.ui.action.SupportLogsAction that allows to read sensitive passwords from log files. The third vulnerability is a local privilege escalation by using the generateSupportBundle.py script with a crafted VCOPS_BASE environment variable. This module will change VMware vRealize Operations Manager admin user password.

This module chains 3 vulnerabilities to deploy an agent in VMware Workspace ONE Access that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in OAuth2TokenResourceController Access Control Service (ACS). The second vulnerability a JDBC Injection in DBConnectionCheckController dbCheck that allow to execute remote system commands. The third vulnerability is a local privilege escalation using the publishCaCert.hzn and gatherConfig.hzn scripts.

This module chains 3 vulnerabilities to deploy an agent in VMware Workspace ONE Access that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in OAuth2TokenResourceController Access Control Service (ACS). The second vulnerability a JDBC Injection in DBConnectionCheckController dbCheck that allow to execute remote system commands. The third vulnerability is a local privilege escalation using the publishCaCert.hzn and gatherConfig.hzn scripts.

This module exploits a server-side template injection vulnerability present in the customError.ftl filter of VMware Workspace ONE Access. The deployed agent will run with horizon user privileges.

This module exploits a server-side template injection vulnerability present in the customError.ftl filter of VMware Workspace ONE Access. The deployed agent will run with horizon user privileges.