Good morning ethical hackers. Polycom HDX devices are popular worldwide for video conferencing. They are fit for meeting rooms and conference halls of various sizes as they support 1 to 3 displays. The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication.
So when all the conventional methods to get access to a network, this can work as an entry point of course if they are using this product. Let us see how this can be used in our pen test. Start Metasploit and load the exploit as shown below.
Set the target and check if it’s vulnerable as shown below using “check” command.
You can use the default payload or choose the required payload. I am using the below payload. After setting payload, type command “run” to run the exploit. The exploit works as shown below.
Hello, aspiring ethical hackers. In this article, you will learn about an arbitrary file upload vulnerability that was found in Webnms framework 5.2.
The Fileuploadservlet has a directory traversal vulnerability in the “filename” parameter which allows an unauthenticated user to upload a jsp file. We can only upload text files and to achieve RCE , they need to be dropped in ../jsp/ folder with names only as login.jsp or webstartXXX.jsp ( where XXX is string of any length).
Here is the code vulnerable to arbitrary file upload.
Here are the names of the files that are uploaded in the process of exploitation. As you can see, the files are appended with random text.
Ok. Now let’s see how this exploit works. Start Metasploit and load the exploit as shown below.
We need to only set the target IP. The “check” command may not give you exact status of vulnerability as shown below.
Set the meterpreter payload as shown below.
Type “run” command to execute the exploit. You should successfully get meterpreter session as shown below.
Hello friends. A while ago, we saw Poison Ivy buffer overflow exploit. This exploit is just like the Poison Ivy exploit but this time we target Darkcomet RAT. ( We will learn more about Darkcomet and RAT’s later ). In this case we can just download a file from the system running Darkcomet server.
Start Metasploit and load the exploit as shown below. Type command “show options” to see the options we need. Look at the options. Although you are familiar with the usual options, there are some new options like NEWVERSION, STORE_LOOT and TARGETFILE.
-NEWVERSION : This exploit works on all darkcomet versions from 3.2 to above. If the version we are targeting is above 5.1, we need to set this option to “true”.
-STORE_LOOT : If you set this option to true, the file we download will be stored in loot. If the option is false, the contents of the file will be outputted to console.
-TARGETFILE : the file to be downloaded from the remote system.
Set the options as required. I have set store_loot option to false. If you don’t set any targetfile, by default it will download the config file of Darkcomet.
Let’s see by running the exploit. We can see the contents of Darkcomet configuration file as shown below.
Now let’s try to download another file. For this, we need the RC4 key of Darkcomet and the password you got in the config file is useless. But there is high probability that a password has not been set. Then we can just set the DC prefix as key and run the exploit as shown below.
Here I am trying to download the hosts file but encounter an error. It’s probably Windows UAC protecting us.
Now let’s create a text file in the admin folder called hello.txt with content as “hello hacker”. Now set this as target file and run the exploit. We can see that the text of the file is successfully displayed as shown below.