6847 matches found
BSD x64 Command Shell, Bind TCP Inline (IPv6)
Listen for a connection and spawn a command shell over IPv6 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 90 include Msf::Payload::Single include Msf::Payload::Bsd include...
Group Policy Script Execution From Shared Resource
This is a general-purpose module for exploiting systems with Windows Group Policy configured to load VBS startup/logon scripts from remote locations. This module runs a SMB shared resource that will provide a payload through a VBS file. Startup scripts will be executed with SYSTEM privileges, whi...
GetGo Download Manager HTTP Response Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in GetGo Download Manager version 5.3.0.2712 earlier, caused by an overly long HTTP response header. By persuading the victim to download a file from a malicious server, a remote attacker could execute arbitrary code on the system o...
Gather Kademlia Server Information
This module uses the Kademlia BOOTSTRAP and PING messages to identify and extract information from Kademlia speaking UDP endpoints, typically belonging to eMule/eDonkey/BitTorrent servers or other P2P applications. This module requires Metasploit: https://metasploit.com/download Current source:...
Android Open Source Platform (AOSP) Browser UXSS
This module exploits a Universal Cross-Site Scripting UXSS vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on 'Android Open Source Platform AOSP Browser UXSS', 'Description' = %q This module exploits a Universal Cross-Site Scriptin...
WinRAR Filename Spoofing
This module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from the central directory, but the file names used to extract and open contents come from the Local File Header. This...
EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack that allows an attacker to read arbitrary files from the file system with the permissions of the root user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Horde Framework Unserialize PHP Code Execution
This module exploits a php unserialize vulnerability in Horde 'Horde Framework Unserialize PHP Code Execution', 'Description' = %q This module exploits a php unserialize vulnerability in Horde 'EgiX', Exploitation technique and Vulnerability discovery originally reported by the vendor 'juan...
VNC Server (Reflective Injection), Reverse HTTP Stager Proxy
Inject a VNC Dll via a reflective loader staged. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 665 include Msf::Payload::Stager include...
SkyBlueCanvas CMS Remote Code Execution
This module exploits an arbitrary command execution vulnerability in SkyBlueCanvas CMS version 1.1 r248-03 and below. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SkyBlueCanvas CMS Remote Co...
Linux Meterpreter, Reverse TCP Stager
Inject the mettle server payload staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 272 include Msf::Payload::Stager def initializeinfo =...
Python Meterpreter, Python Bind TCP Stager
Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager...
Apple Quicktime 7 Invalid Atom Length Buffer Overflow
This module exploits a vulnerability found in Apple Quicktime. The flaw is triggered when Quicktime fails to properly handle the data length for certain atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer overflow by loading a specially crafted .mov file, and allows...
Memcached Remote Denial of Service
This module sends a specially-crafted packet to cause a segmentation fault in memcached v1.4.15 or earlier versions. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Memcached Remote Denial of...
Java Applet Reflection Type Confusion Remote Code Execution
This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially craft...
DataLife Engine preview.php PHP Code Injection
This module exploits a PHP code injection vulnerability DataLife Engine 9.7. The vulnerability exists in preview.php, due to an insecure usage of pregreplace with the e modifier, which allows to inject arbitrary php code, when there is a template installed which contains a catlist or not-catlist...
ZoneMinder Video Server packageControl Command Execution
This module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the 'includes/actions.php' file...
Honeywell Tema Remote Installer ActiveX Remote Code Execution
This module exploits a vulnerability found in the Honeywell Tema ActiveX Remote Installer. This ActiveX control can be abused by using the DownloadFromURL function to install an arbitrary MSI from a remote location without checking source authenticity or user notification. This module has been...
SAP /sap/bc/soap/rfc SOAP Service TH_SAPREL Function Information Disclosure
This module attempts to identify software, OS and DB versions through the SAP function THSAPREL using the /sap/bc/soap/rfc SOAP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on, inspire...
PhpTax pfilez Parameter Exec Remote Code Injection
This module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng function in drawimage.php does not properly handle the pfilez parameter, which will be used in an exec statement, and then results in arbitrary remote code execution under...
SAP Management Console GetProcessList
This module attempts to list SAP processes through the SAP Management Console SOAP Interface This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console GetProcessList', 'Description...
Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow
This module exploits a remote buffer overflow in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x4c PROXYCMDPREBOOTTASKINFO2 to port 998/TCP. The module has been successfully tested...
LANDesk Lenovo ThinkManagement Console Remote Command Execution
This module can be used to execute a payload on LANDesk Lenovo ThinkManagement Suite 9.0.2 and 9.0.3. The payload is uploaded as an ASP script by sending a specially crafted SOAP request to "/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx" , via a "RunAMTCommand" operation with the...
OS X x64 Execute Command
Execute an arbitrary command This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 31 include Msf::Payload::Single def initializeinfo = supermergeinfoinfo, 'Name' = 'OS X x64 Execute...
H.323 Version Scanner
Detect H.323 Version. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'H.323 Version Scanner', 'Description' = 'Detect H.323 Version.', 'Author' = 'hdm', 'License' = MSFLICENSE registeroptions...
Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow
This module exploits a stack based buffer overflow found in Free MP3 CD Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious WAV file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Wireshark console.lua Pre-Loading Script Execution
This module exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there's a 'console.lua' file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8 This...
Apple Safari Webkit libxslt Arbitrary File Creation
This module exploits a file creation vulnerability in the Webkit rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This module has been...
Multi Gather DNS Reverse Lookup Scan
Performs DNS reverse lookup using the OS included DNS query command. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather DNS Reverse Lookup Scan', 'Description' = %q Performs DNS rever...
Windows Gather FlashFXP Saved Password Extraction
This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It finds saved FTP connections in the Sites.dat file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather...
VLC AMV Dangling Pointer Vulnerability
This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st byte in the file format video width/height, VLC crashes due to an invalid pointer, which allows remote attackers to gain arbitrary code execution. The vulnerable packages include: VLC 1.1.4, VLC 1.1.5, VLC...
SAP Management Console Get Logfile
This module simply attempts to download available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. Please use the sapmgmtconlistlogfiles extension to view a list of available files. This module requires Metasploit: https://metasploit.com/download Current source...
VxWorks WDB Agent Remote Memory Dump
This module provides the ability to dump the system memory of a VxWorks target through WDBRPC This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VxWorks WDB Agent Remote Memory Dump', 'Description...
Avahi Source Port 0 DoS
Avahi-daemon versions prior to 0.6.24 can be DoS'd with an mDNS packet with a source port of 0. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Avahi Source Port 0 DoS', 'Description' = %q...
Adobe Doc.media.newPlayer Use After Free Vulnerability
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' class MetasploitModul...
Timbuktu PlughNTCommand Named Pipe Buffer Overflow
This module exploits a stack based buffer overflow in Timbuktu Pro version 'Timbuktu PlughNTCommand Named Pipe Buffer Overflow', 'Description' = %q This module exploits a stack based buffer overflow in Timbuktu Pro version = 8.6.6 in a pretty novel way. This exploit requires two connections. The...
HTTPDX h_handlepeer() Function Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The vulnerability is caused due to a boundary error within the "hhandlepeer" function in http.cpp. By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code. This...
Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl ActiveX Control NPSnpy.dll 1.1.0.36. When sending an overly long string to the CheckRequirements method, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download...
Xlink FTP Server Buffer Overflow
This module exploits a stack buffer overflow in Xlink FTP Server that comes bundled with Omni-NFS Enterprise 5.2. When a overly long FTP request is sent to the server, arbitrary code may be executed. This module requires Metasploit: https://metasploit.com/download Current source:...
Xlink FTP Client Buffer Overflow
This module exploits a stack buffer overflow in Xlink FTP Client 32 Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2. When an overly long FTP server response is received by a client, arbitrary code may be executed. This module requires Metasploit: https://metasploit.com/download Curre...
Timbuktu Pro Directory Traversal/File Upload
This module exploits a directory traversal vulnerability in Motorola's Timbuktu Pro for Windows 8.6.5. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Timbuktu Pro Directory Traversal/File...
ProFTP 2.9 Banner Remote Buffer Overflow
This module exploits a buffer overflow in the ProFTP 2.9 client that is triggered through an excessively long welcome message. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ProFTP 2.9 Banner...
Cain and Abel RDP Buffer Overflow
This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24 and below. An attacker must send the file to victim, and the victim must open the specially crafted RDP file under Tools - Remote Desktop Password Decoder. This module requires Metasploit: https://metasploit.com/downloa...
BigAnt Server 2.2 Buffer Overflow
This module exploits a stack buffer overflow in BigAnt Server 2.2. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Apple OS X Software Update Command Execution
This module exploits a feature in the Distribution Packages, which are used in the Apple Software Update mechanism. This feature allows for arbitrary command execution through JavaScript. This exploit provides the malicious update server. Requests must be redirected to this server by other means...
MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow
This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. This exploit requires the target system to have been configured with a DNS name and for that name to be supplied in the 'DNAME' option. This name does not need to be served by a valid DNS...
Mail.app Image Attachment Command Execution
This module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5. This module requires Metasploit: https://metasploit.com/download Current source:...
Borland InterBase open_marker_file() Buffer Overflow
This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Borland InterBase openmarkerfile...
Netcat v1.10 NT Stack Buffer Overflow
This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending an overly long string we are able to overwrite SEH. The vulnerability exists when netcat is used to bind -e an executable to a port in doexec.c. This module tested successfully using "c:\nc -L -p 31337 -e ftp". This modul...
Trend Micro ServerProtect 5.58 Buffer Overflow
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...