This module uses a SQL injection vulnerability in Fortinet FortiWeb to deploy an agent in the appliance that will run with root user privileges. The vulnerability is reached via the /api/fabric/device/status endpoint. The module will first check if the target is vulnerable using the previous endpoint with a generic payload. Then, it will use the vulnerability to upload and write a webshell in disk that will allow the execution of OS commands to deploy an agent. Next, it will use the vulnerability again to upload, write an execute a python script that will give execution permission to the uploaded webshell. Finally, it will send several requests to the webshell to deploy a Core Impact agent. Once the agent is deployed, the webshell and the python script will be erased from the target system.
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
This module allow to set a short name 8.3 of a file when you don't have write privileges to the directory where the file is located.The vulnerability exists due to NtfsSetShortNameInfo does not properly impose security restrictions in NTFS Set Short Name, which leads to security restrictions bypass and privilege escalation. SETTING THE STAGE. Log in as a normal user in the target machine, and create a txt file in root accepting the UAC prompts for the administrator, verify that you can write to this file, next pass the path to the file to the checker's TARGET_FILE_PATH argument, create the agent as normal user and use the checker, if the machine is vulnerable the ShortName of the file will be changed and displayed albeit you has no permission to do it in this folder
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. It must be executed on an agent with root privileges only for linux system.
Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet. The "Mark Of The Web" is not transferred from the Zipped File into the Unzipped File if the target is vulnerable.
This module executes a program designed to check for a buffer overflow in glibc's getaddrinfo function. Multiple stack-based buffer overflows in the send_dg and send_vc functions in the libresolv library in the GNU C Library allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family.
This module executes a program designed to test a buffer overflow in glibc's __nss_hostname_digits_dots function. The function is used by the gethostbyname*() functions family used for name resolution. Under some circumstances, the use of those functions when the vulnerable underlying function is present, may lead to remote code execution, privilege escalation, or information disclosure.
An insufficient input validation leading to memory overread in Citrix NetScaler ADC and Citrix NetScaler Gateway when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server may allow unauthenticated remote attackers to exfiltrate cookies, session IDs, or passwords from the target application. The vulnerability is reached via the /p/u/doAuthentication.do endpoint. This module will attempt to trigger the vulnerability to determine if the target system is vulnerable.