Showing 1 - 3 of 3

Files from Meh Chang

First Active	2019-11-12
Last Active	2024-08-31

FortiOS Path Traversal Credential Gatherer: Posted Aug 31, 2024; Authored by LyNx, Orange Tsai, Meh Chang, mekhalleh | Site metasploit.com; Fortinet FortiOS versions 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4 are vulnerable to a path traversal vulnerability within the SSL VPN web portal which allows unauthenticated attackers to download FortiOS system files through specially crafted HTTP requests. This Metasploit module exploits this vulnerability to read the usernames and passwords of users currently logged into the FortiOS SSL VPN, which are stored in plaintext in the "/dev/cmdb/sslvpn_websession" file on the VPN server.; tags | exploit, web; SHA-256 | 2149c48a70e99a03545bfa957dc701afcfcd46b50a3e6c27f2d9507f99388036; Download | Favorite | View

Pulse Secure VPN Arbitrary File Disclosure: Posted Aug 31, 2024; Authored by Orange Tsai, wvu, Alyssa Herrera, Justin Wagner, Meh Chang | Site metasploit.com; This Metasploit module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the "Automatic" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the "DSIG" browser cookie to a valid session ID. For the "Manual" action, please specify a file to dump via the "FILE" option. /etc/passwd will be dumped by default. If the "PRINT" option is set, file contents will be printed to the screen, with any unprintable characters replaced by a period. Please see related module exploit/linux/http/pulse_secure_cmd_exec for a post-auth exploit that can leverage the results from this module.; tags | exploit, web, arbitrary; systems | linux; advisories | CVE-2019-11510; SHA-256 | 9434228fa1dc2af2393abd6886ea6161415b95086765f63406754e8064f448e0; Download | Favorite | View

Pulse Secure VPN Arbitrary Command Execution: Posted Nov 12, 2019; Authored by Orange Tsai, wvu, Meh Chang | Site metasploit.com; This Metasploit module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF.; tags | exploit, arbitrary, root; advisories | CVE-2019-11539; SHA-256 | 6674132172219a30d7cdc8c399117a3d4c424e9e997b7824e6b1a2c5163f1072; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days