This module crashes the target machine producing a blue screen by sending a malformed HTTP packet.
This module first uses hard-coded credentials for the diagnostics user to authenticate in the UCMDB component. Then a java deserialization vulnerability present in several endpoints of the UCMDB service is used to execute commands. The deployed agent will run with the SYSTEM privileges on Windows and root on Linux.
An elevation of privilege vulnerability exists in the way the Windows Graphics Component handles objects in memory.
The Security Service of Cisco AnyConnect Posture (HostScan) for Windows incorrectly restricts access to internal IPC commands. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges by sending crafted IPC commands. This module bypasses CVE-2021-1366 by abusing a Time-of-check Time-of-use (TOCTOU) Race Condition in the priv_file_copy command.
This module uses an unauthenticated remote PHP file upload vulnerability via File Manager (wp-file-manager) plugin in WordPress to upload and execute a PHP agent file to gain arbitrary code execution on the affected system.
This module uses an authenticated JNDI injection vulnerability via JndiBindingHandle class in Oracle Weblogic Server to upload and execute a java class file to gain arbitrary code execution on the affected system.
In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible
This module uses an unauthenticated file upload vulnerability via uploadova plugin in VMware vCenter Server to upload and extract a TAR file. This TAR file contains a path traversal that allows writing files at arbitraries locations. In the vulnerable 6.5.X and 6.7.X (build 13010631 and lower) versions of VMware vCenter Server, a JSP file is deployed to gain arbitrary code execution. In the vulnerable 6.7.X (build 13643870 and greater) and 7.X versions, a file with public keys are uploaded to the vsphere-ui user home directory and then used to deploy an agent via SSH. Notice that in 6.7.X versions SSH access is disabled by default.
SolarWinds Orion is prone to a remote vulnerability that allows unauthenticated attackers to execute system commands. Using the lack of permissions that the Collector Service set on its private queues, it is possible to remotely send messages that will be deserialized allowing to execute commands as SYSTEM.
A remote code execution vulnerability exists in Windows when the DNS Server component fails to properly handle certain types of request.