6846 matches found
RealServer Describe Buffer Overflow
This module exploits a buffer overflow in RealServer 7/8/9 and was based on Johnny Cyberpunk's THCrealbad exploit. This code should reliably exploit Linux, BSD, and Windows-based servers. This module requires Metasploit: https://metasploit.com/download Current source:...
Snort Back Orifice Pre-Preprocessor Buffer Overflow
This module exploits a stack buffer overflow in the Back Orifice pre-processor module included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could be used to completely compromise a Snort sensor, and would typically gain an attacker full root or administrative privileges...
HTTP Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/custom/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show...
Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
Execute an x86 payload from a command via PowerShell. Listen for a connection Module Options msf use payload/cmd/windows/powershell/dllinject/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options...
Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Reverse Python connect back stager using SSL Module Options msf use payload/cmd/unix/python/meterpreter/reversetcpssl msf payloadreversetcpssl show actions...
WordPress AIT CSV Import Export Unauthenticated Remote Code Execution
The AIT CSV Import/Export plugin use exploit/multi/http/wpaitcsvrce msf exploitwpaitcsvrce show targets ...targets... msf exploitwpaitcsvrce set TARGET msf exploitwpaitcsvrce show options ...show and set options... msf exploitwpaitcsvrce exploit This module requires Metasploit:...
Inductive Automation Ignition Remote Code Execution
This module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product, versions 8.0.0 to and including 8.0.7. This exploit was tested on versions 8.0.0 and 8.0.7 on both Linux and Windows. The default configuration is exploitable by an unauthenticated...
John the Ripper Windows Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired as hashed files loot or raw LANMAN/NTLM hashes hashdump. The goal of this module is to find trivial passwords in a short amount of time. To crack complex passwords or use large wordlists, John the Ripper should be...
Apple_iOS Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 643824 include...
xdebug Unauthenticated OS Command Execution
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below. This allows the attacker to execute arbitrary php code as the context of the web user. This module requires Metasploit: https://metasploit.com/download Current source:...
NETGEAR WNR2000v5 Administrator Password Recovery
The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery. This vulnerability can be exploited by an unauthenticated attacker who is able to guess the value of a certain timestamp which is in the configuration of the router. Brute forcing the timestamp token might tak...
JBoss Seam 2 File Upload and Execute
Versions of the JBoss Seam 2 framework 'JBoss Seam 2 File Upload and Execute', 'Description' = %q Versions of the JBoss Seam 2 framework 2.2.1CR2 fails to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the...
Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. This module requires Metasploit:...
MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation
This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and...
Linux Kernel Sendpage Local Privilege Escalation
The Linux kernel failed to properly initialize some entries in the protoops struct for several protocols, leading to NULL being dereferenced and used as a function pointer. By using mmap2 to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits...
MediaCoder .M3U Buffer Overflow
This module exploits a buffer overflow in MediaCoder 0.8.22. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution under the context of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder runs with DEP. This module has been tested successfully on...
SMTP Open Relay Detection
This module tests if an SMTP server will accept via a code 250 an e-mail by using a variation of testing methods. Some of the extended methods will try to abuse configuration or mailserver flaws. This module requires Metasploit: https://metasploit.com/download Current source:...
MiniUPnPd 1.4 Denial of Service (DoS) Exploit
This module allows remote attackers to cause a denial of service DoS in MiniUPnP 1.0 server via a specifically crafted UDP request. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MiniUPnPd 1.4...
Victory FTP Server 5.0 LIST DoS
The Victory FTP Server v5.0 can be brought down by sending a very simple LIST command This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Victory FTP Server 5.0 LIST DoS', 'Description' = %q The...
MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against SP0 to SP3. This module requires Metasploit: https://metasploit.com/download Current...
Powershell Exec, Reverse HTTP Stager Proxy
Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP Module Options msf use payload/cmd/windows/powershell/meterpreter/reversehttpproxypstore msf payloadreversehttpproxypstore show actions ...actions... msf payloadreversehttpproxypstore set ACTION msf...
Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection with UUID Support Module Options msf use payload/cmd/unix/python/meterpreter/bindtcpuuid msf payloadbindtcpuuid show actions...
Python Exec, Python Meterpreter, Python Bind TCP Stager
Execute a Python payload as an OS command from a Posix-compatible shell. Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection Module Options msf use payload/cmd/unix/python/meterpreter/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp s...
Git LFS Clone Command Exec
Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems are vulnerable to remote code execution while cloning a repository. Usage of clean / smudge filters through Git LFS and a case-insensitive file system changes the checkout order of...
Apache OFBiz SOAP Java Deserialization
This module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for versions prior to 17.12.06. Module Options msf use exploit/linux/http/apacheofbizdeserializationsoap msf exploitapacheofbizdeserializationsoap show targets...
FortiMail Unauthenticated Login Bypass Scanner
This module attempts to detect instances of FortiMail vulnerable against an unauthenticated login bypass CVE-2020-9294. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FortiMail Unauthenticated...
Windows Unquoted Service Path Privilege Escalation
This module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths:...
RARLAB WinRAR ACE Format Input Validation Remote Code Execution
In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format in UNACEV2.dll. When the filename field is manipulated with specific patterns, the destination extraction folder is ignored, thus treating the filename as an...
Webmin Upload Authenticated RCE
This module exploits an arbitrary command execution vulnerability in Webmin 1.900 and lower versions. Any user authorized to the "Upload and Download" module can execute arbitrary commands with root privileges. In addition, if the 'Running Processes' proc privilege is set the user can accurately...
Xorg X11 Server Local Privilege Escalation
WARNING: Successful execution of this module results in /etc/passwd being overwritten. This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the...
Xorg X11 Server SUID modulepath Privilege Escalation
This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 'Xorg X11 Server SUID modulepath Privilege Escalation', 'Description' = %q This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 1.20.3. A permission check flaw exists for...
Identify Cisco Smart Install endpoints
This module attempts to connect to the specified Cisco Smart Install port and determines if it speaks the Smart Install Protocol. Exposure of SMI to untrusted networks can allow complete compromise of the switch. This module requires Metasploit: https://metasploit.com/download Current source:...
Office OLE Multiple DLL Side Loading Vulnerabilities
Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an...
Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password or password hash to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name an...
WebNMS Framework Server Arbitrary Text File Download
This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to download files off the file system by using a directory traversal attack on the FetchFile servlet. Note that only text files can be downloaded properly, as any binary file will get mangled by...
Android Root Remove Device Locks (root)
This module uses root privileges to remove the device lock. In some cases the original lock method will still be present but any key/gesture will unlock the device. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...
Windows Gather Remote Desktop Connection Manager Saved Password Extraction
This module extracts and decrypts saved Microsoft Remote Desktop Connection Manager RDCMan passwords the .RDG files of users. The module will attempt to find the files configured for all users on the target system. Passwords for managed hosts are encrypted by default. In order for decryption of...
Symantec Altiris DS SQL Injection
This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8 to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell, several SQL injections are...
MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present in the SOAPAction HTTP header handling. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MiniUPnPd 1.0 Stac...
Microsoft Word UNC Path Injector
This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not wor...
Ektron 8.02 XSLT Transform Remote Code Execution
This module exploits a vulnerability in Ektron CMS 8.02 before SP5. The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary...
Hashtable Collisions
This module uses a denial-of-service DoS condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a...
CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure
This module sends a query to the port 264/TCP on CheckPoint Firewall-1 firewalls to obtain the firewall name and management station such as SmartCenter name via a pre-authentication request. The string returned is the CheckPoint Internal CA CN for SmartCenter and the firewall host. Whilst...
7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
This module exploits multiple vulnerabilities found on IGSS 9's Data Server and Data Collector services. The initial approach is first by transferring our binary with Write packets opcode 0x0D via port 12401 igssdataserver.exe, and then send an EXE packet opcode 0x0A to port 12397 dc.exe, which...
NTP.org ntpd Reserved Mode Denial of Service
This module exploits a denial of service vulnerability within the NTP network time protocol demon. By sending a single packet to a vulnerable ntpd server Victim A, spoofed from the IP address of another vulnerable ntpd server Victim B, both victims will enter an infinite response loop. Note, unle...
3CTftpSvc TFTP Long Mode Buffer Overflow
This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By sending a specially crafted packet with an overly long mode field, a remote attacker could overflow a buffer and execute arbitrary code on the system. This module requires Metasploit: https://metasploit.com/download Current sourc...
HTTP Fetch, Reverse TCP Stager (IPv6)
Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker over IPv6 Module Options msf use payload/cmd/windows/http/x86/dllinject/reverseipv6tcp msf payloadreverseipv6tcp show actions ...actions... msf payloadreverseipv6tcp set ACTION msf payloadreverseipv6tcp show option...
HTTP Fetch, Windows shellcode stage, Windows x86 Bind Named Pipe Stager
Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Listen for a pipe connection Windows x86 Module Options msf use payload/cmd/windows/http/x86/custom/bindnamedpipe msf payloadbindnamedpipe show actions ...actions... msf payloadbindnamedpipe set ACTION msf...
HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)
Fetch and execute an x86 payload from an HTTP server. Listen for a connection Module Options msf use payload/cmd/windows/http/x86/dllinject/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set options... ms...
Powershell Exec, Windows x64 Bind TCP Stager
Execute an x64 payload from a command via PowerShell. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/peinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options...