diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index a8d74d72c6..0000438fd3 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -59553,7 +59553,7 @@ "targets": [ "Linux Dropper" ], - "mod_time": "2022-02-25 11:34:31 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/linux/http/axis_app_install.rb", "is_install_path": true, "ref_name": "linux/http/axis_app_install", @@ -64297,7 +64297,7 @@ "targets": [ "IBM Data Risk Manager <= 2.0.4" ], - "mod_time": "2021-09-08 21:56:02 +0000", + "mod_time": "2023-02-08 15:46:07 +0000", "path": "/modules/exploits/linux/http/ibm_drm_rce.rb", "is_install_path": true, "ref_name": "linux/http/ibm_drm_rce", @@ -64305,6 +64305,16 @@ "post_auth": false, "default_credential": false, "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] }, "session_types": false, "needs_cleanup": null @@ -65598,7 +65608,7 @@ "Cody Winkler", "numan türle" ], - "description": "This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.\n The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.", + "description": "This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.\n The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.", "references": [ "EDB-48483", "CVE-2020-7209", @@ -65629,7 +65639,7 @@ "Automatic (Unix In-Memory)", "Automatic (Linux Dropper)" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:46:07 +0000", "path": "/modules/exploits/linux/http/linuxki_rce.rb", "is_install_path": true, "ref_name": "linux/http/linuxki_rce", @@ -65637,6 +65647,16 @@ "post_auth": false, "default_credential": false, "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] }, "session_types": false, "needs_cleanup": true @@ -67724,7 +67744,7 @@ "Linux (x64)", "Linux (cmd)" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:46:07 +0000", "path": "/modules/exploits/linux/http/pandora_fms_events_exec.rb", "is_install_path": true, "ref_name": "linux/http/pandora_fms_events_exec", @@ -67732,6 +67752,16 @@ "post_auth": true, "default_credential": false, "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] }, "session_types": false, "needs_cleanup": null @@ -74122,7 +74152,7 @@ "author": [ "stealthcopter" ], - "description": "This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release\n feature. This exploit should work against any container started with the following flags: `--cap-add=SYS_ADMIN`, `--privileged`.", + "description": "This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release\n feature. This exploit should work against any container started with the following flags: `--cap-add=SYS_ADMIN`, `--privileged`.", "references": [ "EDB-47147", "URL-https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/", @@ -74140,7 +74170,7 @@ "targets": [ "Automatic" ], - "mod_time": "2021-02-16 13:56:50 +0000", + "mod_time": "2023-02-08 15:46:07 +0000", "path": "/modules/exploits/linux/local/docker_privileged_container_escape.rb", "is_install_path": true, "ref_name": "linux/local/docker_privileged_container_escape", @@ -74148,6 +74178,16 @@ "post_auth": false, "default_credential": false, "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] }, "session_types": [ "shell", @@ -76060,7 +76100,7 @@ "author": [ "Gavin Youker " ], - "description": "This module attempts to create a new login session by\n invoking the su command of a valid username and password.\n\n If the login is successful, a new session is created via\n the specified payload.\n\n Because su forces passwords to be passed over stdin, this\n module attempts to invoke a psuedo-terminal with python,\n python3, or script.", + "description": "This module attempts to create a new login session by\n invoking the su command of a valid username and password.\n\n If the login is successful, a new session is created via\n the specified payload.\n\n Because su forces passwords to be passed over stdin, this\n module attempts to invoke a psuedo-terminal with python,\n python3, or script.", "references": [ ], @@ -76077,7 +76117,7 @@ "Linux x86", "Linux x86_64" ], - "mod_time": "2021-02-17 12:33:59 +0000", + "mod_time": "2023-02-08 15:46:07 +0000", "path": "/modules/exploits/linux/local/su_login.rb", "is_install_path": true, "ref_name": "linux/local/su_login", @@ -76085,6 +76125,16 @@ "post_auth": true, "default_credential": false, "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] }, "session_types": [ "shell", @@ -76148,7 +76198,7 @@ "Fedora 23 x64 (sudo v1.8.14p3, libc v2.22)", "Manual" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/linux/local/sudo_baron_samedit.rb", "is_install_path": true, "ref_name": "linux/local/sudo_baron_samedit", @@ -78670,7 +78720,7 @@ "targets": [ "TP-Link Archer A7/C7 (AC1750) v5 (firmware up to 201029/30)" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:46:07 +0000", "path": "/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb", "is_install_path": true, "ref_name": "linux/misc/tplink_archer_a7_c7_lan_rce", @@ -78678,6 +78728,16 @@ "post_auth": false, "default_credential": false, "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] }, "session_types": false, "needs_cleanup": null @@ -79070,7 +79130,7 @@ "Unix Command", "Linux Dropper" ], - "mod_time": "2022-04-26 12:34:45 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/linux/redis/redis_debian_sandbox_escape.rb", "is_install_path": true, "ref_name": "linux/redis/redis_debian_sandbox_escape", @@ -86265,7 +86325,7 @@ "Spencer McIntyre", "jheysel-r7" ], - "description": "This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and\n access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM’s\n implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a\n vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.\n\n This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus\n is susceptible to the same issue.", + "description": "This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and\n access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM’s\n implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a\n vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.\n\n This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus\n is susceptible to the same issue.", "references": [ "CVE-2021-35464", "URL-https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464", @@ -86293,7 +86353,7 @@ "Unix Command", "Linux Dropper" ], - "mod_time": "2021-07-09 16:39:58 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/multi/http/cve_2021_35464_forgerock_openam.rb", "is_install_path": true, "ref_name": "multi/http/cve_2021_35464_forgerock_openam", @@ -87364,7 +87424,7 @@ "targets": [ "Automatic" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/multi/http/gitlab_file_read_rce.rb", "is_install_path": true, "ref_name": "multi/http/gitlab_file_read_rce", @@ -99658,7 +99718,7 @@ "Linux (Command)", "AIX (Command)" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:46:07 +0000", "path": "/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb", "is_install_path": true, "ref_name": "multi/misc/ibm_tm1_unauth_rce", @@ -99666,6 +99726,17 @@ "post_auth": false, "default_credential": false, "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "config-changes", + "artifacts-on-disk", + "ioc-in-logs" + ] }, "session_types": false, "needs_cleanup": true @@ -144129,7 +144200,7 @@ "Windows Dropper", "Windows Command" ], - "mod_time": "2021-11-10 11:12:38 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/windows/http/exchange_proxylogon_rce.rb", "is_install_path": true, "ref_name": "windows/http/exchange_proxylogon_rce", @@ -146495,7 +146566,7 @@ "Windows Command", "Windows Powershell" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb", "is_install_path": true, "ref_name": "windows/http/hpe_sim_76_amf_deserialization", @@ -150458,7 +150529,7 @@ "Windows Command", "Windows Powershell" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/windows/http/sharepoint_workflows_xoml.rb", "is_install_path": true, "ref_name": "windows/http/sharepoint_workflows_xoml", @@ -155594,7 +155665,7 @@ "bee13oy", "timwr" ], - "description": "This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx\n within win32k. The out of bounds write can be used to overwrite the pvbits of a\n SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel\n memory, an attacker can gain arbitrary code execution as the SYSTEM user.\n\n This module has been tested against a fully updated Windows 7 x64 SP1. Offsets\n within the exploit code may need to be adjusted to work with other versions of\n Windows.", + "description": "This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx\n within win32k. The out of bounds write can be used to overwrite the pvbits of a\n SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel\n memory, an attacker can gain arbitrary code execution as the SYSTEM user.\n\n This module has been tested against a fully updated Windows 7 x64 SP1. Offsets\n within the exploit code may need to be adjusted to work with other versions of\n Windows.", "references": [ "CVE-2020-1054", "URL-https://cpr-zero.checkpoint.com/vulns/cprid-2153/", @@ -155615,7 +155686,7 @@ "targets": [ "Windows 7 x64" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/windows/local/cve_2020_1054_drawiconex_lpe.rb", "is_install_path": true, "ref_name": "windows/local/cve_2020_1054_drawiconex_lpe", @@ -156541,7 +156612,7 @@ "targets": [ "Windows" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/windows/local/lexmark_driver_privesc.rb", "is_install_path": true, "ref_name": "windows/local/lexmark_driver_privesc", @@ -157934,7 +158005,7 @@ "Grant Willcox", "timwr" ], - "description": "This module exploits a NULL pointer dereference vulnerability in\n MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call.\n\n The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint()\n function does not effectively check the validity of the tagPOPUPMENU\n objects it processes before passing them on to MNGetpItemFromIndex(),\n where the NULL pointer dereference will occur.\n\n This module has been tested against Windows 7 x86 SP0 and SP1. Offsets\n within the solution may need to be adjusted to work with other versions\n of Windows, such as Windows Server 2008.", + "description": "This module exploits a NULL pointer dereference vulnerability in\n MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call.\n\n The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint()\n function does not effectively check the validity of the tagPOPUPMENU\n objects it processes before passing them on to MNGetpItemFromIndex(),\n where the NULL pointer dereference will occur.\n\n This module has been tested against Windows 7 x86 SP0 and SP1. Offsets\n within the solution may need to be adjusted to work with other versions\n of Windows, such as Windows Server 2008.", "references": [ "CVE-2019-0808", "URL-https://github.com/exodusintel/CVE-2019-0808", @@ -157954,7 +158025,7 @@ "targets": [ "Windows 7 x86" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/windows/local/ntusermndragover.rb", "is_install_path": true, "ref_name": "windows/local/ntusermndragover", @@ -158917,7 +158988,7 @@ "targets": [ "Automatic" ], - "mod_time": "2021-09-08 21:56:02 +0000", + "mod_time": "2023-02-08 15:20:32 +0000", "path": "/modules/exploits/windows/local/tokenmagic.rb", "is_install_path": true, "ref_name": "windows/local/tokenmagic", @@ -165646,7 +165717,7 @@ "targets": [ "Windows Universal (x64) - v7.80.3132" ], - "mod_time": "2021-08-27 17:15:33 +0000", + "mod_time": "2023-02-08 15:46:07 +0000", "path": "/modules/exploits/windows/nimsoft/nimcontroller_bof.rb", "is_install_path": true, "ref_name": "windows/nimsoft/nimcontroller_bof", @@ -165656,6 +165727,12 @@ "notes": { "Stability": [ "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + ] }, "session_types": false,