This module abuses insufficient validation in the unauthenticated JCE profiles.import endpoint to upload a crafted profile file with a PHP extension. When the file is written under the Joomla tmp directory and executed by the web server, it provides a command execution primitive. 1. Fingerprints the JCE Editor component and checks the detected version. 2. Extracts a Joomla CSRF token from the site root. 3. Uploads a PHP command runner through the vulnerable profiles.import task. 4. Verifies code execution from the Joomla tmp directory. 5. Detects the target operating system through the command runner. 6. Uses the resulting command primitive to commit an OSCI agent or deploy a network agent.
This module exploits DirtyClone, a local privilege escalation vulnerability in the Linux kernel. The trigger binary abuses the vulnerability to execute a caller-supplied custom ELF with root privileges. The module uses this mechanism to execute a generated Core Impact agent ELF. The module uploads the DirtyClone trigger binary and a generated Core Impact agent ELF with random names to the temporary directory given in the TMP_DIR parameter. If no parameter is provided, the module will use "/tmp" as the default value. The exploit is executed as the uploaded trigger binary with the uploaded agent path as its custom ELF argument. Once the attack is complete, a new Core Impact agent will be deployed on the target system with root user privileges. After the new agent connects, the module attempts to drop filesystem caches with the "sysctl" command and removes the uploaded trigger and agent binaries.
A Server-Side Request Forgery vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) allows unauthenticated remote attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. This module uses the previous vulnerability to upload a jsp webshell into the PSEMHUB.war directory to deploy a network agent via the /PSIGW/HttpListeningConnector endpoint. First, the module will validate the vulnerability by using a random string as operation. If the target is vulnerable, the response should be a base64 encoded java string object with the text "Invalid Operation specified" Then, the module will use the REGISTER_WITH_PEERNAME operation, to get a valid peer ObjectName Then, the module will use the HANDLE_MESSAGE operation with an embedded ExecuteProcessActivityCommand object to create the jsp webshell file inside the PSEMHUB.war directory (a web-accessible location). Finally, the module will make a request to the webshell to deploy the network agent. The deployed agent will run with the same user privileges as the target software.
A Server-Side Request Forgery vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) allows unauthenticated remote attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. This module uses the previous vulnerability to upload a jsp webshell into the PSEMHUB.war directory to deploy a network agent via the /PSIGW/HttpListeningConnector endpoint. First, the module will validate the vulnerability by using a random string as operation. If the target is vulnerable, the response should be a base64 encoded java string object with the text "Invalid Operation specified" Then, the module will use the REGISTER_WITH_PEERNAME operation, to get a valid peer ObjectName Then, the module will use the HANDLE_MESSAGE operation with an embedded ExecuteProcessActivityCommand object to create the jsp webshell file inside the PSEMHUB.war directory (a web-accessible location). Finally, the module will make a request to the webshell to deploy the network agent. The deployed agent will run with the same user privileges as the target software.
This module performs profile-driven HTTP/2 HPACK bomb denial-of-service attacks against vulnerable servers. The module selects the requested profile and applies its default attack parameters unless PORT, CONNECTIONS or STREAMS are overridden. It verifies target reachability and, when required, records a pre-attack TCP or TLS latency baseline. It then establishes HTTP/2 sessions by negotiating h2, sending the client preface, and completing the initial SETTINGS exchange. After setup, it sends profile-specific HPACK bomb payloads through HEADERS and CONTINUATION frames across multiple streams. These payloads force the server to expand small compressed header blocks into much larger in-memory header state or repeated header reconstruction work. The attacked streams are held open for a profile-specific interval, optionally using WINDOW_UPDATE drips to keep server-side state active. Finally, the module determines success from post-attack liveness, latency degradation, or recovery behavior, depending on the selected profile. Blank parameters inherit the selected profile defaults. Most profiles require TLS plus ALPN h2 support in the runtime SSL stack. Pingora can be used over cleartext h2c by disabling USE TLS.
In a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. In CUPS, the server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line "PPD:" text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary with with lp user privileges. This module will first get the list of the shared printers of the target. Then, it will register an endpoint in the local webserver for future files exfiltrations. Later, it will use the vulnerability against each shared printer to exfiltrate the /etc/os-release file. If the file is retrieved, then the target will be marked as vulnerable and the following printers will be skipped in the attack. Also, the ID field of the exfiltrated file will be used to identify the Linux distribution and decide the following step of the attack. If the Linux distribution is Arch, then the module will use the vulnerability again to deploy an agent in the target that will run with the cups user privileges. If the Linux distribution is any other, the module will use the vulnerability again to exfiltrate the /etc/passwd file. This is due the fact that in any other Linux distribution CUPS's sub-processes are isolated and monitored by AppArmor or SELinux.
This module exploits Fragnesia, a local privilege escalation vulnerability in the Linux kernel XFRM ESP-in-TCP subsystem. The vulnerability can be abused to corrupt cached pages of read-only privileged files through kernel networking components. The trigger binary temporarily corrupts the page-cache contents of "/usr/bin/su" with a small ELF launcher that executes a caller-supplied custom ELF as root. The module uses this mechanism to execute a generated Core Impact agent ELF. The module uploads the Fragnesia trigger binary and a generated Core Impact agent ELF with random names to the temporary directory given in the TMP_DIR parameter. If no parameter is provided, the module will use "/tmp" as the default value. The exploit is executed as the uploaded trigger binary with the uploaded agent path as its custom ELF argument. Once the attack is complete, a new Core Impact agent will be deployed on the target system with root user privileges. After the new agent connects, the module attempts to drop filesystem caches with the "sysctl" command and removes the uploaded trigger and agent binaries.
NGINX Plus and NGINX Open Source have a heap overflow vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the "rewrite" directive with a query string is followed (in the same location) by the "if" or "set" directive with an unnamed Perl-Compatible Regular Expression (PCRE) capture. An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. This module will first check if the endpoint given in the ENDPOINT parameter is present. If no parameter is provided, the module will use "/api" as the default value. Then it will send a HTTP request to the endpoint to cause the DoS and try to determine if the attack was successful.
A local unprivileged user can coerce "cupsd" into authenticating to an attacker-controlled localhost IPP service with a reusable "Authorization: Local" token. That token is enough to drive "/admin/" requests on "localhost", and the attacker can combine "CUPS-Create-Local-Printer" with "printer-is-shared=true" to persist a "file:///" queue even though the normal "FileDevice" policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; allowing root command execution. This module uses the previous vulnerability to escalate privileges and deploy a new agent that will run with root user privileges. The module starts a local capture server on the port given by the CAPTURE_PORT parameter. If no parameter is provided, the module will use 9189 as the default port value. Also, the IPP port can be set with the IPP_PORT parameter. If no parameter is provided, the module will use 631 as the default port value. Then it will find and use the "ipptool" executable to trigger the local admin print to leak the auth token. The module will try to leak the token 5 times. Once the token is leaked, the module will create a temporary directory and upload the trigger and agent executables. Then it will locate the "sudo" and "whoami" executables and proceed to trigger the vulnerability to create a file inside the "/etc/sudoers.d/" directory that will allow the current user to use the "sudo" command without a password. If the attack succeeds, the agent will be executed via "sudo" which will deploy a new agent with root user privileges. Once the agent is deployed, the module will delete the trigger executable and the root file in the "/etc/sudoers.d/" directory.
This module exploits DirtyFrag, a local privilege escalation vulnerability chain in the Linux kernel that can corrupt cached pages of privileged files through kernel networking components. The trigger binary supports two exploitation paths. The ESP path temporarily corrupts the page-cache contents of "/usr/bin/su" with a small ELF launcher that executes a caller-supplied custom ELF as root. The rxrpc/rxkad path temporarily corrupts the page-cache contents of "/etc/passwd" to allow passwordless root authentication through "su" and then executes the supplied custom ELF. Before running either path, the trigger binary creates a temporary full backup of the target file it may corrupt. The ESP path restores "/usr/bin/su" from its backup after the patched "su" process is launched. The rxrpc/rxkad path restores "/etc/passwd" from its backup and removes that backup before handing execution to the custom ELF. The module uploads the DirtyFrag trigger binary and a generated Core Impact agent ELF with random names to the temporary directory given in the TMP_DIR parameter. If no parameter is provided, the module will use "/tmp" as the default value. The exploit is executed as the uploaded trigger binary with the uploaded agent path as its custom ELF argument. Once the attack is complete, a new Core Impact agent will be deployed on the target system with root user privileges. After the new agent connects, the module attempts to drop filesystem caches with the "sysctl" command and removes the uploaded trigger and agent binaries.