An authenticated user can exploit a command injection vulnerability in the web components of Ivanti Connect Secure (9.x and 22.x) to execute arbitrary commands. This module exploits two vulnerabilities. First, it leverages the lack of authentication in "/api/v1/totp/user-backup-code", allowing unauthenticated access and path traversal. Then, it uses this vulnerability to access the system and execute remote commands in "/api/v1/license/key-status/path:node_name". The deployed agent will run with ROOT privileges.
The Windows Client Side Caching Driver (csc.sys) present in Microsoft Windows is vulnerable to a memory corruption vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by creating a specially crafted IOCTL request. The steps performed by the binary exploit are: Null Pointer write to arbitrary kernel R/W through a CscDevFcbXXXControlFile routine which is called by RDBSS to pass a device FCB control request to the network mini-redirector not validating the input buffer in IOCTL 0x001401a3 Overwrite the thread's PreviousMode through the NULL pointer and get an arbitrary read/write memory primitive via NtWriteVirtualMemory/NtReadVirtualMemory SYSTEM token stealing Agent deployment through process injection on the LSASS.exe process
This exploit uses InitializeXamlDiagnosticsEx in order to inject a DLL in an elevated process. It will check if any elevated process running uses UWP and then inject. One example of elevated process with UWP is taskmgr. It will check for 180 seconds.
An error in the way Fortra Robot Schedule grants write permission to unprivileged users to replace modules that are running with system privileges. A low-privileged user can overwrite the service executable. When the service is restarted, the replaced binary runs a SYSTEM privileged Core Impact agent.
In PHP, when using Apache and PHP-CGI on Windows and if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow remote attackers to pass options to PHP binary being run, leading to execute system commands in the context of the affected application. This module will exploit the vulnerability by using the "cgi.force_redirect=0" parameter and attacking the "/php-cgi/php-cgi.exe" endpoint; which are required to exploit XAMPP on Windows. If the target is vulnerable but is not XAMPP, then the ENDPOINT parameter must point to a proper php script.
In PHP, when using Apache and PHP-CGI on Windows and if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow remote attackers to pass options to PHP binary being run, leading to execute system commands in the context of the affected application. This module will exploit the vulnerability by using the "cgi.force_redirect=0" parameter and attacking the "/php-cgi/php-cgi.exe" endpoint; which are required to exploit XAMPP on Windows. If the target is vulnerable but is not XAMPP, then the TARGET parameter must point to a proper php script.
A directory traversal vulnerability in the /clients/MyCRL endpoint of sslvpn.full allows unauthenticated remote attackers to download system files. This module exploits the directory traversal to download the file specified in the "FILE PATH" parameter and to save it locally in the location specified in the "OUTPUT PATH" parameter.
A directory traversal vulnerability in the WebResourceServiceImpl class of org.sonatype.nexus.internal.webresources allows unauthenticated remote attackers to download any file, including system files outside of Sonatype Nexus Repository Manager application scope. This module exploits the directory traversal to download the file specified in the "FILE PATH" parameter and to save it locally in the location specified in the "OUTPUT PATH" parameter.
This module uses a server side template injection vulnerability in CrushFTP to check if the target is vulnerable to CVE-2024-4040 . If the target is vulnerable, the module will download the specified file and log several server variables.
The Cloud Files Mini Filter Driver (cldflt.sys) present in Microsoft Windows is vulnerable to a buffer overflow, which can result in out-of-bounds memory write to paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.