Packet Storm

This Metasploit modules scans for Dahua-based DVRs and then grabs settings. Optionally resets a users password and clears the device logs.

This Metasploit module takes advantage of a protocol design issue with the Rosewill admin executable in order to retrieve passwords, allowing remote attackers to take administrative control over the device. Other similar IP Cameras such as Edimax, Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested. The protocol design issue also allows attackers to reset passwords on the device.

This Metasploit module exploits a file retrieval vulnerability in EasyCafe Server. The vulnerability can be triggered by sending a specially crafted packet (opcode 0x43) to the 831/TCP port. This Metasploit module has been successfully tested on EasyCafe Server version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3 and Windows 7 SP1. Note that the server will throw a popup messagebox if the specified file does not exist.

This Metasploit module can identify SerComm manufactured network devices which contain a backdoor, allowing command injection or account disclosure.

This Metasploit module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.

This Metasploit module scans for OKI printers via SNMP, then tries to connect to found devices with vendor default administrator credentials via HTTP authentication. By default, OKI network printers use the last six digits of the MAC as admin password.

This Metasploit module takes advantage of an authentication bypass vulnerability at the web interface of multiple manufacturers DVR systems, which allows to retrieve the device configuration.

This Metasploit module can be used to discover Portmapper services which can be used in an amplification DDoS attack against a third party.

This Metasploit module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable). Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter. Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter. Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter. Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter. Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter. VICIdial does not encrypt passwords by default.

This Metasploit module exploits a directory traversal flaw found in A10 Networks (Soft) AX Loadbalancer version 2.6.1-GR1-P5/2.7.0 or less. When handling a file download request, the xml/downloads class fails to properly check the filename parameter, which can be abused to read any file outside the virtual directory. Important files include SSL certificates. This Metasploit module works on both the hardware devices and the Virtual Machine appliances. IMPORTANT NOTE: This Metasploit module will also delete the file on the device after downloading it. Because of this, the CONFIRM_DELETE option must be set to true either manually or by script.