This module exploits a java deserialization vulnerability present in the CewolfRenderer servlet. Also, this module exploits a blind XXE vulnerability present in the ProcessTrackingListener class.

This module chains 3 vulnerabilities to deploy an agent in VMware vRealize Operations Manager that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in com.vmware.vcops.ui.util.MainPortalFilter class. The second vulnerability an information disclosure vulnerability present in com.vmware.vcops.ui.action.SupportLogsAction that allows to read sensitive passwords from log files. The third vulnerability is a local privilege escalation by using the generateSupportBundle.py script with a crafted VCOPS_BASE environment variable. This module will change VMware vRealize Operations Manager admin user password.

This module chains 3 vulnerabilities to deploy an agent in VMware vRealize Operations Manager that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in com.vmware.vcops.ui.util.MainPortalFilter class. The second vulnerability an information disclosure vulnerability present in com.vmware.vcops.ui.action.SupportLogsAction that allows to read sensitive passwords from log files. The third vulnerability is a local privilege escalation by using the generateSupportBundle.py script with a crafted VCOPS_BASE environment variable. This module will change VMware vRealize Operations Manager admin user password.

This module chains 3 vulnerabilities to deploy an agent in VMware Workspace ONE Access that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in OAuth2TokenResourceController Access Control Service (ACS). The second vulnerability a JDBC Injection in DBConnectionCheckController dbCheck that allow to execute remote system commands. The third vulnerability is a local privilege escalation using the publishCaCert.hzn and gatherConfig.hzn scripts.

This module chains 3 vulnerabilities to deploy an agent in VMware Workspace ONE Access that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in OAuth2TokenResourceController Access Control Service (ACS). The second vulnerability a JDBC Injection in DBConnectionCheckController dbCheck that allow to execute remote system commands. The third vulnerability is a local privilege escalation using the publishCaCert.hzn and gatherConfig.hzn scripts.

This module exploits a server-side template injection vulnerability present in the customError.ftl filter of VMware Workspace ONE Access. The deployed agent will run with horizon user privileges.

This module exploits a server-side template injection vulnerability present in the customError.ftl filter of VMware Workspace ONE Access. The deployed agent will run with horizon user privileges.

This module exploits an authentication bypass vulnerability present in iControl REST of F5 BIG-IP. The deployed agent will run with root privileges.

This module exploits an authentication bypass vulnerability present in iControl REST of F5 BIG-IP. The deployed agent will run with root privileges.

This module uses an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader in Spring MVC and Spring WebFlux applications in order to upload and execute a JSP file in the Tomcat virtual file system webapps directory.