This module uses an authenticated OS command injection vulnerability to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The vulnerability is present in the saveSvcConfig method of the com.progress.ubroker.tools.AbstractGuiPluginRemObj java class. The vulnerable class can be reached by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. This module may also abuse CVE-2024-1403: an authentication bypass vulnerability that allow access to the adminServer classes. This module will perform the following steps: If no username and password are provided, the module will use the CVE-2024-1403 vulnerability to authenticate against the target application as the NT AUTHORITY/SYSTEM user. If a username and password are provided, then those credentials will be used for authentication. Once authenticated, it will create an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. Then, it will use the getPlugins method of the previous class to obtain a list of the interfaces exposed by the com.progress.ubroker.tools.NSRemoteObject plugin. Then, use the getRemoteManageObject method of the com.progress.ubroker.tools.NSRemoteObject class via the com.progress.ubroker.tools.IYodaSharedResources interface to create an instance of an object compatible with the com.progress.ubroker.tools.IYodaRMI interface. Then, use the doRemoteToolCmd method via the com.progress.ubroker.tools.IYodaRMI interface to add a payload to deploy an agent inside the Progress\\OpenEdge\\properties\\ubroker.properties file. An entry to an application *service* will be added. Finally, it will use again the doRemoteToolCmd method to start a process that will use the parameters added in the previous step. All requests to target will be made using Java RMI requests
This module exploits a high-severity vulnerability in Windows File Explorer. The exploit works by creating a specially crafted .lnk (shortcut) file that, when placed in a folder viewed by a victim, forces the system to automatically connect to an attacker-controlled SMB server. This connection happens without any user interaction and results in the victim's NTLM hash being sent to the attacker. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.
This module triggers a denial-of-service flaw in the Windows Local Session Manager (LSM). It was found to exist in Windows 11 but not in Windows 10. The vulnerability allows an authenticated, low-privileged user to crash the LSM service by making a simple Remote Procedure Call (RPC) to the RpcGetSessionIds function. The impact of this vulnerability is significant, as a crash of the LSM service can prevent users from logging in or out and affects services that depend on LSM, such as Remote Desktop Protocol (RDP) and Microsoft Defender. The vulnerability can be exploited remotely by an authenticated user with low privileges, especially on a domain controller.
A vulnerability in the update service of Microsoft Windows Disk Cleanup Tool could allow an authenticated local attacker, to execute a crafted dll with SYSTEM user privileges. The steps performed by the exploit are: First It creates 3 folders: C:\$Windows.~WS, C:\ESD\Windows, C:\ESD\Download, inserts dummy .txt files and pauses. Create a thread to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi. Create a second thread to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\ESD\Windows to C:/Config.msi. It creates a task named SilentCleanup to trigger content cleanup and delete Config.msi. After deletion it creates a third thread to run second stage of FolderOrFileDeleteToSystem to drop HID.dll. Run osk.exe, then in another thread run mmc.exe.
An attacker can exploit this vulnerability to run remote commands on the target, achieving code execution. The vulnerability stems from how the WingFTP server usernames are processed, allowing attackers to execute arbitrary commands. When the server does not allow anonymous access, successful exploitation of this vulnerability requires valid user credentials (username and password). This exploit performs the following steps: Sends a POST request to loginok.html with the malicious command in the username field. Extracts the session cookie (UID). The server responds with a UID cookie in Set-Cookie. Uses the extracted UID cookie to access dir.html. Requests and execute the necessary files to install an agent.
A critical vulnerability (CVE-2025-32463) was discovered in Sudo versions 1.9.14 through 1.9.17. The vulnerability allows local users to obtain root access by exploiting the --chroot option, where /etc/nsswitch.conf from a user-controlled directory is used. This exploit creates a temporary directory structure that mimics a normal root environment, uploads a malicious /etc/nsswitch.conf which in turn calls a shared object that escalates privileges, the exploit is triggered when executing sudo with the -R flag pointing to the user controlled directory.
This vulnerability (CVE-2024-28987) is caused by the presence of hardcoded credentials in the application, allowing unauthenticated attackers to remotely read and modify all help desk ticket details. It enables authentication with a predefined account (helpdeskIntegrationUser/dev-C4F8025E7) Affected versions include SolarWinds Web Help Desk 12.8.3 Hotfix 1 and all previous versions. An attacker exploiting this vulnerability can: - Access the REST API without requiring valid credentials. - Retrieve sensitive information from support tickets. - Read private ticket details, including internal comments. - Access confidential data, such as shared account credentials or passwords from reset requests. - Modify existing tickets, altering their content or status. - Create new tickets with false or malicious information. This exploit leverages hardcoded credentials to authenticate via Basic Authentication and interact with the SolarWinds Web Help Desk API. Steps performed by the exploit: 1 Authentication to the API - Sends a Basic Authentication request to the /OrionTickets endpoint. - If the request returns ticket data, the target is confirmed to be vulnerable. 2 Retrieving help desk tickets - Fetches all available tickets from the system. 3 Creating a new ticket (optional) - If specified as a parameter, the exploit creates a new ticket in the system. - The ticket is generated with user-defined subject and details. 4 Saving tickets to a file (optional) - The retrieved tickets can be saved to a file if a path is provided. 5 Fetching additional ticket details (optional) - The exploit can request detailed information for each ticket.