exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 11 of 11 RSS Feed

Files from Ben Campbell

Email addresseat_meatballs at hotmail.co.uk
First Active2012-08-07
Last Active2024-09-01
GitLab User Enumeration
Posted Sep 1, 2024
Authored by Ben Campbell | Site metasploit.com

The GitLab internal API is exposed unauthenticated on GitLab. This allows the username for each SSH Key ID number to be retrieved. Users who do not have an SSH Key cannot be enumerated in this fashion. LDAP users, e.g. Active Directory users will also be returned. This issue was fixed in GitLab v7.5.0 and is present from GitLab v5.0.0.

tags | exploit
SHA-256 | 71630cfcfed3904689a0ba6bbbfad435b4547e989b51038e7a14ced61cb53df9
Windows Escalate UAC Protection Bypass
Posted Sep 4, 2015
Authored by Ben Campbell, vozzie | Site metasploit.com

This Metasploit module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries.

tags | exploit
systems | windows
SHA-256 | 6a2017090a1d8df299e19c2f05246d4fcd92fcba63db5b4f0d368934a069f10d
Windows Run Command As User
Posted Mar 30, 2015
Authored by Ben Campbell, Kx499 | Site metasploit.com

This Metasploit module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default. Unless targetting a local user either set the DOMAIN, or specify a UPN user format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function. A custom command line can be sent instead of uploading an executable. APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine respectively. See the MSDN documentation for how these two values interact.

tags | exploit, local
SHA-256 | 9708939c73c492103ede2da0dee3008422e7c17f9e1ed2961f1a52f94e096c31
Powershell Remoting Remote Command Execution
Posted Mar 24, 2015
Authored by Ben Campbell | Site metasploit.com

This Metasploit module uses Powershell Remoting (TCP 47001) to inject payloads on target machines. If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise use a HOSTFILE to supply a list of known hostnames.

tags | exploit, tcp
advisories | CVE-1999-0504, OSVDB-3106
SHA-256 | 81d95a12d4da050bcc3d10140dea8044b0356300805672102af4206ac0964126
Windows Escalate UAC Protection Bypass (In Memory Injection)
Posted Mar 5, 2014
Authored by David Kennedy, Ben Campbell, mitnick, mubix | Site metasploit.com

This Metasploit module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This Metasploit module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also).

tags | exploit, shell
systems | windows
SHA-256 | 2af1863cdb30bfd4736972507c329a2bdd36de75f1f53ed9dba7e1b9c141c5d9
Windows Command Shell Upgrade (Powershell)
Posted Feb 11, 2014
Authored by Ben Campbell | Site metasploit.com

This Metasploit module executes Powershell to upgrade a Windows Shell session to a full Meterpreter session.

tags | exploit, shell
systems | windows
SHA-256 | 77f33a93fab9dec0bfbe6f0a7ddb463203a9de47dd740a64deea3ff1282ff494
Windows Management Instrumentation (WMI) Remote Command Execution
Posted Oct 23, 2013
Authored by Ben Campbell | Site metasploit.com

This Metasploit module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that session. The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash. We do not get feedback from the WMIC command so there are no indicators of success or failure. The remote host must be configured to allow remote Windows Management Instrumentation.

tags | exploit, remote, tcp
systems | windows
advisories | CVE-1999-0504, OSVDB-3106
SHA-256 | 62ddec099dce84f039f9c1e73d6d0a966bff9197effb670f8a09f3099afdb20a
IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL
Posted Sep 6, 2013
Authored by Ben Campbell | Site metasploit.com

This Metasploit module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules' (IKEEXT) service which runs as SYSTEM, and starts automatically in default installations of Vista-Win8. It requires an insecure bin path to plant the DLL payload.

tags | exploit
SHA-256 | 664b8ccaa34cabc3e056eff029e115d751e01362e197a53fd6f02840557011df
Powershell Payload Web Delivery
Posted Jul 25, 2013
Authored by Ben Campbell, Christopher Campbell | Site metasploit.com

This Metasploit module quickly fires up a web server that serves the payload in powershell. The provided command will start powershell and then download and execute the payload. The IEX command can also be extracted to execute directly from powershell. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so is unlikely to trigger AV solutions and will allow to attempt local privilege escalations supplied by meterpreter etc. You could also try your luck with social engineering. Ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.

tags | exploit, remote, web, x86, local
SHA-256 | 3df7ddc32fd686c31c096c385be3456948866192543e5796efa9d470ac552386
Windows AlwaysInstallElevated MSI
Posted Nov 29, 2012
Authored by Parvez Anwar, Ben Campbell | Site metasploit.com

This Metasploit module checks the AlwaysInstallElevated registry keys which dictate if .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM). The default MSI file is data/exploits/exec_payload.msi with the WiX source file under external/source/exploits/exec_payload_msi/exec_payload.wxs. This MSI simply executes payload.exe within the same folder. The MSI may not execute successfully successive times, but may be able to get around this by regenerating the MSI. MSI can be rebuilt from the source using the WIX tool with the following commands: candle exec_payload.wxs light exec_payload.wixobj.

tags | exploit, registry
SHA-256 | c7e98f972baf436cdfffebb9e430a37c5fe6f420bfd185f513efaf7d19a631e2
Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution
Posted Aug 7, 2012
Authored by Tavis Ormandy, Richard Hicks, phillips321, Ben Campbell | Site metasploit.com

The uplay ActiveX component allows an attacker to execute any command line action. User must sign in, unless auto-sign in is enabled and uplay is not already running. Due to the way the malicious executable is served (WebDAV), the module must be run on port 80, so please ensure you have proper privileges. Ubisoft released patch 2.04 as of Mon 20th July.

tags | exploit, activex
advisories | OSVDB-84402
SHA-256 | b06a8a97e093f62b1f9d8ff1ae71702688d1cb47e94160036dd253ab69142e43
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close