6846 matches found
Windows Live Mail Credential Gatherer
This module searches for Windows Live Mail credentials on a Windows host. Module Options msf use post/windows/gather/credentials/windowslivemail msf postwindowslivemail show actions ...actions... msf postwindowslivemail set ACTION msf postwindowslivemail show options ...show and set options... ms...
Apache OFBiz XML-RPC Java Deserialization
This module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for versions prior to 17.12.01 using the ROME gadget chain. Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467 and use the...
rConfig install Command Execution
This module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The install directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the ajaxServerSettingsChk.php file as the web server...
ABRT sosreport Privilege Escalation
This module attempts to gain root privileges on RHEL systems with a vulnerable version of Automatic Bug Reporting Tool ABRT configured as the crash handler. sosreport uses an insecure temporary directory, allowing local users to write to arbitrary files CVE-2015-5287. This module uses a symlink...
Oracle Weblogic Server Deserialization RCE - Raw Object
An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object weblogic.jms.common.StreamMessageImpl to the interface to execute code on vulnerable hosts. This module requires Metasploit: https://metasploit.com/download Current source:...
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion betwee...
Zutto Dekiru
Inspired by shikataganai using fxsave64 to work under x64 systems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasm' require 'rex/nop/opty2' class MetasploitModule 'Zutto Dekiru', 'Version' = '$Revision...
Openfire Admin Console Authentication Bypass
This module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This module has been tested against Openfire 3.6.0...
Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
This module exploits a vulnerability in Adobe Flash Player that was discovered, and has been exploited actively in the wild. By embedding a specially crafted .swf file, Adobe Flash crashes due to an invalid use of an object type, which allows attackers to overwrite a pointer in memory, and result...
UPnP SSDP M-SEARCH Information Discovery
Discover information from UPnP-enabled systems This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'UPnP SSDP M-SEARCH Information Discovery', 'Description' = 'Discover information from UPnP-enabled...
HTTP Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)
Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/http/x86/custom/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf...
HTTP Fetch, Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager
Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/http/x86/custom/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTI...
HTTP Fetch, Reverse Ordinal TCP Stager (No NX or Win7)
Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/dllinject/reverseordtcp msf payloadreverseordtcp show actions ...actions... msf payloadreverseordtcp set ACTION msf payloadreverseordtcp show options ...show and...
Powershell Exec, Reverse TCP Stager with UUID Support
Execute an x86 payload from a command via PowerShell. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/powershell/patchupdllinject/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf...
rConfig Vendors Auth File Upload RCE
This module allows an attacker with a privileged rConfig account to start a reverse shell due to an arbitrary file upload vulnerability in /lib/crud/vendors.crud.php. Then, the uploaded payload can be triggered by a call to images/vendor/.php Module Options msf use...
Login to Another User with Su on Linux / Unix Systems
This module attempts to create a new login session by invoking the su command of a valid username and password. If the login is successful, a new session is created via the specified payload. Because su forces passwords to be passed over stdin, this module attempts to invoke a psuedo-terminal wit...
SaltStack Salt Master Server Root Key Disclosure
This module exploits unauthenticated access to the prepauthinfo method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations...
JVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure
SIEMENS IP-Camera CVMS2025-IR + CCMS2025, JVC IP-Camera VN-T216VPRU, and Vanderbilt IP-Camera CCPW3025-IR + CVMW3025-IR allow an unauthenticated user to disclose the username & password by requesting the javascript page 'readfile.cgi?query=ADMINID'. Siemens firmwares affected: x.2.2.1798,...
FreeBSD Intel SYSRET Privilege Escalation
This module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault GPF when executing a SYSRET instruction with a non-canonical address in the RCX register...
VLC Media Player MKV Use After Free
This module exploits a use after free vulnerability in VideoLAN VLC = 'VLC Media Player MKV Use After Free', 'Description' = %q This module exploits a use after free vulnerability in VideoLAN VLC = 2.2.8. The vulnerability exists in the parsing of MKV files and affects both 32 bits and 64 bits. I...
Ulterius Server File Download Vulnerability
This module exploits a directory traversal vulnerability in Ulterius Server 'Ulterius Server File Download Vulnerability', 'Description' = %q This module exploits a directory traversal vulnerability in Ulterius Server 'Rick Osgood', Vulnerability discovery and PoC 'Jacob Robles' Metasploit module...
Qmail SMTP Bash Environment Variable Injection (Shellshock)
This module exploits a shellshock vulnerability on Qmail, a public domain MTA written in C that runs on Unix systems. Due to the lack of validation on the MAIL FROM field, it is possible to execute shell code on a system with a vulnerable BASH Shellshock. This flaw works on the latest Qmail...
Joomla com_contenthistory Error-Based SQL Injection
This module exploits a SQL injection vulnerability in Joomla versions 3.2 through 3.4.4 in order to either enumerate usernames and password hashes. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModul...
SMB Group Policy Preference Saved Passwords Enumeration
This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES key. This module has been tested successfully on a Win2k...
Apache Struts ClassLoader Manipulation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 1.x 'Apache Struts ClassLoader Manipulation Remote Code Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions 1.x = 1.3.10 and 2.x 2.3.16.2. In...
MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass
This module bypasses basic authentication for Internet Information Services IIS. By appending the NTFS stream name to the directory name in a request, it is possible to bypass authentication. This module requires Metasploit: https://metasploit.com/download Current source:...
Apple Safari file:// Arbitrary Code Execution
This module exploits a vulnerability found in Apple Safari on OS X platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the...
TrendMicro Data Loss Prevention 5.5 Directory Traversal
This module tests whether a directory traversal vulnerability is present in Trend Micro DLP Data Loss Prevention Appliance v5.5 build 'TrendMicro Data Loss Prevention 5.5 Directory Traversal', 'Description' = %q This module tests whether a directory traversal vulnerability is present in Trend Mic...
Solaris Gather Dump Password Hashes for Solaris Systems
Post module to dump the password hashes for all users on a Solaris System This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris Gather Dump Password Hashes for Solaris Systems', 'Description'...
rsh Authentication Scanner
This module will test a shell rsh service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports below 1024. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaroun...
MS03-026 Microsoft RPC DCOM Interface Overflow
This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and...
Powershell Exec, Reverse TCP Stager (IPv6)
Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp...
Powershell Exec, Reverse TCP Stager with UUID Support
Execute an x86 payload from a command via PowerShell. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/powershell/meterpreter/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf payloadreversetcpuuid...
Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE
This vulnerability allows remote attackers to execute arbitrary code on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2. Note...
Service Tracing Privilege Elevation Vulnerability
This module leverages a trusted file overwrite with a DLL hijacking vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64 targets. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModul...
URGENT/11 Scanner, Based on Detection Tool by Armis
This module detects VxWorks and the IPnet IP stack, along with devices vulnerable to CVE-2019-12258. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'URGENT/11 Scanner, Based on Detection Tool b...
Password Cracker: Webapps
This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from various web applications. Atlassian uses PBKDF2-HMAC-SHA1 which is 12001 in hashcat. PHPass uses phpass which is 400 in hashcat. Mediawiki is MD5 based and is 3711 in hashcat. Apache Superset, some...
Microsoft Exchange Privilege Escalation Exploit
This module exploits a privilege escalation vulnerability found in Microsoft Exchange - CVE-2019-0724 Execution of the module will force Exchange to authenticate to an arbitrary URL over HTTP via the Exchange PushSubscription feature. This allows us to relay the NTLM authentication to a Domain...
Zyxel/Eir D1000 DSL Modem NewNTPServer Command Injection Over TR-064
Broadband DSL modems manufactured by Zyxel and distributed by some European ISPs are vulnerable to a command injection vulnerability when setting the 'NewNTPServer' value using the TR-64 SOAP-based configuration protocol. In the tested case, no authentication is required to set this value on...
Joomla Akeeba Kickstart Unserialize Remote Code Execution
This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba component, which is responsible for Joomla! updates. Nevertheless it is worth to note that this vulnerability is only...
MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow
This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value...
Supermicro Onboard IPMI Static SSL Certificate Scanner
This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI controllers. An attacker with access to the publicly-available firmware can perform man-in-the-middle attacks and offline decryption of communication to the controller. This module has been on a Supermicro Onboar...
ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code. This module requires Metasploit:...
MS09-053 Microsoft IIS FTP Server NLST Response Overflow
This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file...
MySQL yaSSL CertDecoder::GetName Buffer Overflow
This module exploits a stack buffer overflow in the yaSSL 1.9.8 and earlier implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside...
HTTP Fetch, Windows shellcode stage, Reverse TCP Stager (No NX or Win7)
Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/http/x86/custom/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf...
HTTP Fetch, Hidden Bind TCP Stager
Fetch and execute an x86 payload from an HTTP server. Listen for a connection from a hidden port and spawn a command shell to the allowed host. Module Options msf use payload/cmd/windows/http/x86/dllinject/bindhiddentcp msf payloadbindhiddentcp show actions ...actions... msf payloadbindhiddentcp...
HTTP Fetch, Windows shellcode stage, Hidden Bind TCP Stager
Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Listen for a connection from a hidden port and spawn a command shell to the allowed host. Module Options msf use payload/cmd/windows/http/x86/custom/bindhiddentcp msf payloadbindhiddentcp show actions ...actions... msf...
Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)
Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support Windows x86 Module Options msf use payload/cmd/windows/powershell/peinject/bindtcpuuid msf payloadbindtcpuuid show actions ...actions... msf payloadbindtcpuuid set ACTION msf payloadbindtcpuuid show...