6846 matches found
OpenSSL Server-Side ChangeCipherSpec Injection Scanner
This module checks for the OpenSSL ChangeCipherSpec CCS Injection vulnerability. The problem exists in the handling of early CCS messages during session negotiation. Vulnerable installations of OpenSSL accepts them, while later implementations do not. If successful, an attacker can leverage this...
Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload
This module bypasses authentication failure, extension blacklist, and path traversal vulnerabilities in the /editor/elfinder/php/connector.php endpoint to upload and execute a shell in Xerte Online Toolkits versions 3.15 commit 4e40f8030a2e3267267db7ce03e0ff57270be6f5 as there's no patch versions...
Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)
Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection Windows x86 Module Options msf use payload/cmd/windows/powershell/custom/bindipv6tcp msf payloadbindipv6tcp show actions ...actions... msf payloadbindipv6tcp set ACTION msf payloadbindipv6t...
Powershell Exec, Windows Meterpreter Service, Bind TCP
Execute an x86 payload from a command via PowerShell. Stub payload for interacting with a Meterpreter Service Module Options msf use payload/cmd/windows/powershell/metsvcbindtcp msf payloadmetsvcbindtcp show actions ...actions... msf payloadmetsvcbindtcp set ACTION msf payloadmetsvcbindtcp show...
VMware Workstation ALSA Config File Local Privilege Escalation
This module exploits a vulnerability in VMware Workstation Pro and Player on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. This module has been...
Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registr...
Bitlocker Master Key (FVEK) Extraction
This module enumerates ways to decrypt Bitlocker volume and if a recovery key is stored locally or can be generated, dump the Bitlocker master key FVEK This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
China Chopper Caidao PHP Backdoor Code Execution
This module takes advantage of the China Chopper Webshell that is commonly used by Chinese hackers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'China Chopper Caidao PHP Backdoor Code...
PostgreSQL Database Name Command Line Flag Injection
This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that are vulnerable to command-line flag injection through CVE-2013-1899. This can lead to denial of service, privilege escalation, or even arbitrary code execution. This module requires Metasploit: https://metasploit.com/download...
Powershell Exec
Execute an x64 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/x64/powershellreversetcpssl msf payloadpowershellreversetcpssl show actions ...actions... msf payloadpowershellreversetcpssl set ACTION msf payloadpowershellreversetcpssl show options ...sho...
Apple_iOS Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 796904 include...
OpenSSL Heartbeat (Heartbleed) Information Leak
This module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable. The module supports several actions, allowing for scanning,...
SSH Version Scanner
Detect SSH Version, and the server encryption This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'recog' require 'net/ssh/transport/session' class MetasploitModule 'SSH Version Scanner', 'Description' = 'Detect S...
HTTP Options Detection
Display available HTTP options for each system This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Options Detection', 'Description' = 'Display available HTTP options for each system', 'Author...
SMBv3 Compression Buffer Overflow
A vulnerability exists within the Microsoft Server Message Block 3.1.1 SMBv3 protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe. This module requires Metasploit...
BIND TSIG Query Denial of Service
A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn't allowed to make queries. This module...
Canon IR-Adv Password Extractor
This module will extract the passwords from address books on various Canon IR-Adv mfp devices. Tested models: iR-ADV C2030, iR-ADV 4045, iR-ADV C5030, iR-ADV C5235, iR-ADV C5240, iR-ADV 6055, iR-ADV C7065 This module requires Metasploit: https://metasploit.com/download Current source:...
Powershell Exec
Execute an x86 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/loadlibrary msf payloadloadlibrary show actions ...actions... msf payloadloadlibrary set ACTION msf payloadloadlibrary show options ...show and set options... msf payloadloadlibrary run This...
Wordpress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi
Secure Copy Content Protection and Content Locking, a WordPress plugin, prior to 2.8.2 is affected by an unauthenticated SQL injection via the sccpid parameter. Remote attackers can exploit this vulnerability to dump usernames and password hashes from thewpusers table of the affected WordPress...
QEMU Monitor HMP 'migrate' Command Execution
This module uses QEMU's Monitor Human Monitor Interface HMP TCP server to execute system commands using the migrate command. This module has been tested successfully on QEMU version 6.2.0 on Ubuntu 20.04. Module Options msf use exploit/multi/misc/qemumonitorhmpmigratecmdexec msf...
Cisco ASA Authentication Bypass (EXTRABACON)
This module patches the authentication functions of a Cisco ASA to allow uncredentialed logins. Uses improved shellcode for payload. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco ASA...
DotNetNuke Cookie Deserialization Remote Code Excecution
This module exploits a deserialization vulnerability in DotNetNuke DNN versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to...
Search Engine Subdomains Collector
This module can be used to gather subdomains about a domain from Yahoo, Bing. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Search Engine Subdomains Collector', 'Description' = %q This module...
Windows Gather Navicat Passwords
This module will find and decrypt stored Navicat passwords. Module Options msf use post/windows/gather/credentials/navicat msf postnavicat show actions ...actions... msf postnavicat set ACTION msf postnavicat show options ...show and set options... msf postnavicat run This module requires...
WordPress Email Subscribers and Newsletter Hash SQLi Scanner
Email Subscribers & Newsletters plugin contains an unauthenticated timebased SQL injection in versions before 4.3.1. The hash parameter is vulnerable to injection. Module Options msf use auxiliary/scanner/http/wpemailsubnewssqli msf auxiliarywpemailsubnewssqli show actions ...actions... msf...
OS X Display Apple VNC Password
This module shows Apple VNC Password from Mac OS X High Sierra. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OS X Display Apple VNC Password', 'Description' = %q This module shows Apple VNC...
Apache CouchDB Arbitrary Command Execution
CouchDB administrative users can configure the database server via HTTPS. Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitra...
Apache Tomcat Manager Application Deployer Authenticated Code Execution
This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is no...
Python Exec, Python Pingback, Reverse TCP (via python)
Execute a Python payload from a command. Connects back to the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/windows/python/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION msf payloadpingbackreversetc...
Powershell Exec, Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it staged. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/powershell/upexec/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTI...
Python Exec, Python Pingback, Bind TCP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Listens for a connection from the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/unix/python/pingbackbindtcp msf payloadpingbackbindtcp show actions ...actions... msf payloadpingbackbindtcp set...
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library glibc dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LDAUDIT environment variable when loading setuid executables...
IPFire Bash Environment Variable Injection (Shellshock)
IPFire, a free linux based open source firewall distribution, version 'IPFire Bash Environment Variable Injection Shellshock', 'Description' = %q IPFire, a free linux based open source firewall distribution, version 'h00die ', module 'Claudio Viviani' discovery , 'References' = 'EDB', '34839' ,...
Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role everyone can quickly enumerate all SQL Server logins using the SUSERSNAME function...
Cisco ASA SSL VPN Privilege Escalation Vulnerability
This module exploits a privilege escalation vulnerability for Cisco ASA SSL VPN aka: WebVPN. It allows level 0 users to escalate to level 15. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cis...
HTTP Fetch
Fetch and execute an x86 payload from an HTTP server. Module Options msf use payload/cmd/windows/http/x86/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run This module requires Metasploit:...
Python Exec, Python Pingback, Bind TCP (via python)
Execute a Python payload from a command. Listens for a connection from the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/windows/python/pingbackbindtcp msf payloadpingbackbindtcp show actions ...actions... msf payloadpingbackbindtcp set ACTION msf payloadpingbackbindt...
QQ Credential Gatherer
This module searches for QQ credentials on a Windows host. Module Options msf use post/windows/gather/credentials/qq msf postqq show actions ...actions... msf postqq set ACTION msf postqq show options ...show and set options... msf postqq run This module requires Metasploit:...
blueimp's jQuery (Arbitrary) File Upload
This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions "blueimp's jQuery Arbitrary File Upload", 'Description' = %q This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File...
Hikvision DVR RTSP Request Remote Code Execution
This module exploits a buffer overflow in the RTSP request parsing code of Hikvision DVR appliances. The Hikvision DVR devices record video feeds of surveillance cameras and offer remote administration and playback of recorded footage. The vulnerability is present in several models / firmware...
Wordpress Plugin Backup Guard - Authenticated Remote Code Execution
This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin Backup Guard .php Module Options msf use exploit/multi/http/wppluginbackupguardrce msf exploitwppluginbackupguardrce show targets...
ForgeRock / OpenAM Jato Java Deserialization
This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's implementation of the Jato framework and can be triggered by a simple one-line GET or POST...
Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands
The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which implements the protocol. This module implements the CPU STOP command, as well as the ability to crash the Ethernet card in an affected device. This module is based on the original 'ethernetip-multi.rb' Basecam...
PHP XML-RPC Arbitrary Code Execution
This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki. This module requires Metasploit:...
HTTP Fetch, Windows MessageBox
Fetch and execute an x86 payload from an HTTP server. Spawns a dialog via MessageBox using a customizable title, text & icon Module Options msf use payload/cmd/windows/http/x86/messagebox msf payloadmessagebox show actions ...actions... msf payloadmessagebox set ACTION msf payloadmessagebox show...
HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)
Fetch and execute an x86 payload from an HTTP server. Listen for a connection Module Options msf use payload/cmd/windows/http/x86/meterpreter/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options...
Powershell Exec, Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy
Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support Module Options msf use payload/cmd/windows/powershell/custom/reversehttpsproxy msf payloadreversehttpsproxy show actions ...actions... msf...
Lucee Administrator imgProcess.cfm Arbitrary File Write
This module exploits an arbitrary file write in Lucee Administrator's imgProcess.cfm file to execute commands as the Tomcat user. Module Options msf use exploit/linux/http/luceeadminimgprocessfilewrite msf exploitluceeadminimgprocessfilewrite show targets ...targets... msf...
Axis Network Camera .srv-to-parhand RCE
This module exploits an auth bypass in .srv functionality and a command injection in parhand to execute code as the root user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Axis Network Camer...
HTTP Fetch, Reverse TCP Stager (DNS)
Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/meterpreter/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options ...show an...