6850 matches found
MobileIron MDM Hessian-Based Java Deserialization RCE
This module exploits an ACL bypass in MobileIron MDM products to execute a Groovy gadget against a Hessian-based Java deserialization endpoint. Module Options msf use exploit/linux/http/mobileironmdmhessianrce msf exploitmobileironmdmhessianrce show targets ...targets... msf...
Cisco ASA Authentication Bypass (EXTRABACON)
This module patches the authentication functions of a Cisco ASA to allow uncredentialed logins. Uses improved shellcode for payload. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco ASA...
OS X Display Apple VNC Password
This module shows Apple VNC Password from Mac OS X High Sierra. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OS X Display Apple VNC Password', 'Description' = %q This module shows Apple VNC...
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library glibc dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LDAUDIT environment variable when loading setuid executables...
IPFire Bash Environment Variable Injection (Shellshock)
IPFire, a free linux based open source firewall distribution, version 'IPFire Bash Environment Variable Injection Shellshock', 'Description' = %q IPFire, a free linux based open source firewall distribution, version 'h00die ', module 'Claudio Viviani' discovery , 'References' = 'EDB', '34839' ,...
Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role everyone can quickly enumerate all SQL Server logins using the SUSERSNAME function...
PHP XML-RPC Arbitrary Code Execution
This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki. This module requires Metasploit:...
HTTP Fetch, Generic x86 Tight Loop
Fetch and execute an x86 payload from an HTTP server. Generate a tight loop in the target process Module Options msf use payload/cmd/windows/http/x86/generic/tightloop msf payloadtightloop show actions ...actions... msf payloadtightloop set ACTION msf payloadtightloop show options ...show and set...
Python Exec, Python Pingback, Bind TCP (via python)
Execute a Python payload from a command. Listens for a connection from the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/windows/python/pingbackbindtcp msf payloadpingbackbindtcp show actions ...actions... msf payloadpingbackbindtcp set ACTION msf payloadpingbackbindt...
Python Exec, Python Pingback, Bind TCP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Listens for a connection from the attacker, sends a UUID, then terminates Module Options msf use payload/cmd/unix/python/pingbackbindtcp msf payloadpingbackbindtcp show actions ...actions... msf payloadpingbackbindtcp set...
Rconfig 3.x Chained Remote Code Execution
This module exploits multiple vulnerabilities in rConfig version 3.9 in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the path parameter of the ajax archive file functionality within the rConfig web interface in order to execute the...
Cisco ASA SSL VPN Privilege Escalation Vulnerability
This module exploits a privilege escalation vulnerability for Cisco ASA SSL VPN aka: WebVPN. It allows level 0 users to escalate to level 15. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cis...
MS05-017 Microsoft Message Queueing Service Path Overflow
This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's...
BillQuick Web Suite txtID SQLi
This module exploits a SQL injection vulnerability in BillQUick Web Suite prior to version 22.0.9.1. The application is .net based, and the database is required to be MSSQL. Luckily the website gives error based SQLi messages, so it is trivial to pull data from the database. However the webapp us...
QQ Credential Gatherer
This module searches for QQ credentials on a Windows host. Module Options msf use post/windows/gather/credentials/qq msf postqq show actions ...actions... msf postqq set ACTION msf postqq show options ...show and set options... msf postqq run This module requires Metasploit:...
Hikvision DVR RTSP Request Remote Code Execution
This module exploits a buffer overflow in the RTSP request parsing code of Hikvision DVR appliances. The Hikvision DVR devices record video feeds of surveillance cameras and offer remote administration and playback of recorded footage. The vulnerability is present in several models / firmware...
Lucee Administrator imgProcess.cfm Arbitrary File Write
This module exploits an arbitrary file write in Lucee Administrator's imgProcess.cfm file to execute commands as the Tomcat user. Module Options msf use exploit/linux/http/luceeadminimgprocessfilewrite msf exploitluceeadminimgprocessfilewrite show targets ...targets... msf...
Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow
This module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 x86 in VirtualBox, VMware Fusion, and VMware...
blueimp's jQuery (Arbitrary) File Upload
This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions "blueimp's jQuery Arbitrary File Upload", 'Description' = %q This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File...
Axis Network Camera .srv-to-parhand RCE
This module exploits an auth bypass in .srv functionality and a command injection in parhand to execute code as the root user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Axis Network Camer...
Jenkins-CI Script-Console Java Execution
This module uses the Jenkins-CI Groovy script console to execute OS commands using Java. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Jenkins-CI Script-Console Java Execution', 'Description'...
Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands
The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which implements the protocol. This module implements the CPU STOP command, as well as the ability to crash the Ethernet card in an affected device. This module is based on the original 'ethernetip-multi.rb' Basecam...
Linux Execute Command
Execute an arbitrary command. Module Options msf use payload/linux/loongarch64/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run frozenstringliteral: true This module requires Metasploit:...
HTTP Fetch, Windows Executable Download (http,https,ftp) and Execute
Fetch and execute an x86 payload from an HTTP server. Download an EXE from an HTTPS/FTP URL and execute it Module Options msf use payload/cmd/windows/http/x86/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options...
Powershell Exec, Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy
Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support Module Options msf use payload/cmd/windows/powershell/custom/reversehttpsproxy msf payloadreversehttpsproxy show actions ...actions... msf...
Tango Credential Gatherer
This module searches for Tango credentials on a Windows host. Tango is a third-party, cross platform messaging application software for smartphones developed by TangoME, Inc. Module Options msf use post/windows/gather/credentials/tango msf posttango show actions ...actions... msf posttango set...
Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation
This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx within win32k. The out of bounds write can be used to overwrite the pvbits of a SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code executio...
V-CMS PHP File Upload and Execute
This module exploits a vulnerability found on V-CMS's inline image upload feature. The problem is due to the inlineimageupload.php file not checking the file type before saving it on the web server. This allows any malicious user to upload a script such as PHP without authentication, and then...
VMWare Authentication Daemon Login Scanner
This module will test vmauthd logins on a range of machines and report successful logins. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...
PHP Base64 Encoder
This encoder returns a base64 string encapsulated in evalbase64decode, increasing the size by a bit more than one third. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PHP Base64 Encoder',...
HTTP Fetch, Generic x86 Debug Trap
Fetch and execute an x86 payload from an HTTP server. Generate a debug trap in the target process Module Options msf use payload/cmd/windows/http/x86/generic/debugtrap msf payloaddebugtrap show actions ...actions... msf payloaddebugtrap set ACTION msf payloaddebugtrap show options ...show and set...
HTTP Fetch, DNS TXT Record Payload Download and Execution
Fetch and execute an x86 payload from an HTTP server. Performs a TXT query against a series of DNS records and executes the returned x86 shellcode. The DNSZONE option is used as the base name to iterate over. The payload will first request the TXT contents of the a hostname, followed by b, then c...
ExifTool DjVu ANT Perl injection
This module exploits a Perl injection vulnerability in the DjVu ANT parsing code of ExifTool versions 7.44 through 12.23 inclusive. The injection is used to execute a shell command using Perl backticks. The DjVu image can be embedded in a wrapper image using the HasselbladExif EXIF field. Module...
Cisco Data Center Network Manager Unauthenticated File Download
DCNM exposes a servlet to download files on /fm/downloadServlet. An authenticated user can abuse this servlet to download arbitrary files as root by specifying the full path of the file. This module was tested on the DCNM Linux virtual appliance 10.42, 11.01 and 11.11, and should work on a few...
Tomcat UTF-8 Directory Traversal Vulnerability
This module tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the...
HTTP Fetch
Fetch and execute an x86 payload from an HTTP server. Module Options msf use payload/cmd/windows/http/x86/formatalldrives msf payloadformatalldrives show actions ...actions... msf payloadformatalldrives set ACTION msf payloadformatalldrives show options ...show and set options... msf...
HTTP Fetch, Reverse TCP Stager (No NX or Win7)
Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/http/x86/dllinject/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show options...
Lenovo Diagnostics Driver IOCTL memmove
Incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write. Module Options msf use exploit/windows/local/cve20223699lenovodiagnosticsdriver msf...
PHP Laravel Framework token Unserialize Remote Command Execution
This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x 'PHP Laravel Framework token Unserialize Remote Command Execution', 'Description' = %q This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x = 5.6.29. Remote Command...
Zabbix Server Brute Force Utility
This module attempts to login to Zabbix server instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. It will also test for the Zabbix default login Admin:zabbix and guest access. This module requires Metasploit:...
MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate PAC from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module...
Java 7 Applet Remote Code Execution
The exploit takes advantage of two issues in JDK 7: The ClassFinder and MethodFinder.findMethod. Both were newly introduced in JDK 7. ClassFinder is a replacement for classForName back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which...
HTTP Fetch, Reverse All-Port TCP Stager
Fetch and execute an x86 payload from an HTTP server. Try to connect back to the attacker, on all possible ports 1-65535, slowly Module Options msf use payload/cmd/windows/http/x86/dllinject/reversetcpallports msf payloadreversetcpallports show actions ...actions... msf payloadreversetcpallports...
HTTP Fetch, Windows Reverse HTTP Stager (winhttp)
Fetch and execute an x86 payload from an HTTP server. Tunnel communication over HTTP Windows winhttp Module Options msf use payload/cmd/windows/http/x86/dllinject/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf payloadreversewinhttp sho...
Powershell Exec, Reverse Hop HTTP/HTTPS Stager
Execute an x86 payload from a command via PowerShell. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. Module Options msf use payload/cmd/windows/powershell/meterpreter/reversehophttp msf...
Thunderbird Credential Gatherer
This module searches for Thunderbird credentials on a Windows host. Module Options msf use post/windows/gather/credentials/thunderbird msf postthunderbird show actions ...actions... msf postthunderbird set ACTION msf postthunderbird show options ...show and set options... msf postthunderbird run...
Lexmark Driver Privilege Escalation
Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenicated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\Universal Color Laser.gdl to replace the DLL path to unires.dll with a...
Pulse Secure VPN gzip RCE
The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. Admin credentials are required for successful exploitation. Of note, MANY binaries are not ...
Java RMI Server Insecure Endpoint Code Execution Scanner
Detect Java RMI endpoints This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/java/serialization' class MetasploitModule 'Java RMI Server Insecure Endpoint Code Execution Scanner', 'Description' = 'Detect Jav...
Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)
Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/dllinject/reverseordtcp msf payloadreverseordtcp show actions ...actions... msf payloadreverseordtcp set ACTION msf payloadreverseordtcp show options ...show an...