6847 matches found
MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present in the SOAPAction HTTP header handling. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MiniUPnPd 1.0 Stac...
Microsoft Word UNC Path Injector
This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not wor...
Wordpress Pingback Locator
This module will scan for wordpress sites with the Pingback API enabled. By interfacing with the API an attacker can cause the wordpress site to port scan an external target and return results. Refer to the wordpresspingbackportscanner module. This issue was fixed in wordpress 3.5.1 This module...
Ektron 8.02 XSLT Transform Remote Code Execution
This module exploits a vulnerability in Ektron CMS 8.02 before SP5. The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary...
Hashtable Collisions
This module uses a denial-of-service DoS condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a...
7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
This module exploits multiple vulnerabilities found on IGSS 9's Data Server and Data Collector services. The initial approach is first by transferring our binary with Write packets opcode 0x0D via port 12401 igssdataserver.exe, and then send an EXE packet opcode 0x0A to port 12397 dc.exe, which...
NTP.org ntpd Reserved Mode Denial of Service
This module exploits a denial of service vulnerability within the NTP network time protocol demon. By sending a single packet to a vulnerable ntpd server Victim A, spoofed from the IP address of another vulnerable ntpd server Victim B, both victims will enter an infinite response loop. Note, unle...
3CTftpSvc TFTP Long Mode Buffer Overflow
This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By sending a specially crafted packet with an overly long mode field, a remote attacker could overflow a buffer and execute arbitrary code on the system. This module requires Metasploit: https://metasploit.com/download Current sourc...
HTTP Fetch, Windows shellcode stage, Find Tag Ordinal Stager
Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Use an established connection Module Options msf use payload/cmd/windows/http/x86/custom/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and se...
HTTP Fetch, Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)
Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Tunnel communication over HTTP Windows winhttp Module Options msf use payload/cmd/windows/http/x86/custom/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf...
Powershell Exec, Windows x64 Bind TCP Stager
Execute an x64 payload from a command via PowerShell. Listen for a connection Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/peinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options...
K-Meleon Credential Gatherer
This module searches for K-Meleon credentials on a Windows host. Module Options msf use post/windows/gather/credentials/kmeleon msf postkmeleon show actions ...actions... msf postkmeleon set ACTION msf postkmeleon show options ...show and set options... msf postkmeleon run This module requires...
Opera Credential Gatherer
This module searches for Opera credentials on a Windows host. Module Options msf use post/windows/gather/credentials/opera msf postopera show actions ...actions... msf postopera set ACTION msf postopera show options ...show and set options... msf postopera run This module requires Metasploit:...
Apache Tapestry HMAC secret key leak
This exploit finds the HMAC secret key used in Java serialization by Apache Tapestry. This key is located in the file AppModule.class by default and looks like the standard representation of UUID in hex digits hd : 6hd-4hd-4hd-4hd-12hd If the HMAC key has been changed to look differently, this...
SaltStack Salt Master/Minion Unauthenticated RCE
This module exploits unauthenticated access to the runner and sendpub methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager...
IBM Data Risk Manager Unauthenticated Remote Code Execution
IBM Data Risk Manager IDRM contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. Thi...
Apache Solr Remote Code Execution via Velocity Template
This module exploits a vulnerability in Apache Solr 'Apache Solr Remote Code Execution via Velocity Template', 'Description' = %q This module exploits a vulnerability in Apache Solr = 8.3.0 which allows remote code execution via a custom Velocity template. Currently, this module only supports Sol...
Fortinet SSL VPN Bruteforce Login Utility
This module scans for Fortinet SSL VPN web login portals and performs login brute force to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Fortinet SSL VPN Bruteforc...
Eaton Xpert Meter SSH Private Key Exposure Scanner
Eaton Power Xpert Meters running firmware below version 12.x.x.x or below version 13.3.x.x ship with a public/private key pair that facilitate remote administrative access to the devices. Tested on: Firmware 12.1.9.1 and 13.3.2.10. This module requires Metasploit: https://metasploit.com/download...
Reliable Datagram Sockets (RDS) Privilege Escalation
This module exploits a vulnerability in the rdspagecopyuser function in net/rds/page.c RDS in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root CVE-2010-3904. This module has been tested successfully on Fedora 13 i686 with kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04...
Windows Manage Persistent EXE Payload Installer
This Module will upload an executable to a remote host and make it Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login, SYSTEM will start on system boot but requires privs. SERVICE will create a new service which will start the payload. Again requires privs...
ImageMagick Delegate Arbitrary Command Execution
This module exploits a shell command injection in the way "delegates" commands for converting files are processed in ImageMagick versions 'ImageMagick Delegate Arbitrary Command Execution', 'Description' = %q This module exploits a shell command injection in the way "delegates" commands for...
NETGEAR ProSafe Network Management System 300 Authenticated File Download
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file download vulnerability that can be exploited by an authenticated remote attacker to download any file in the system. This module has been tested with versions 1.5.0.2, 1.4.0.17 and...
LastPass Vault Decryptor
This module extracts and decrypts LastPass master login accounts and passwords, encryption keys, 2FA tokens and all the vault passwords This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'English' require 'sqlite...
Windows Gather User Credentials (phishing)
This module is able to perform a phishing attack on the target by popping up a loginprompt. When the user fills credentials in the loginprompt, the credentials will be sent to the attacker. The module is able to monitor for new processes and popup a loginprompt when a specific process is starting...
Authentication Capture: SMB
This module provides a SMB service that can be used to capture the challenge-response password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems. Responses sent by this service by default use a random 8 byte challenge string. A specific value such as 1122334455667788 can be set...
WinRM Script Exec Remote Code Execution
This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2 and above and VBS CmdStager. The module will check if Powershell is available, and if so uses that method. Otherwise it falls back to the VBS...
Unix Command Shell, Reverse TCP SSL (via perl)
Creates an interactive shell via perl, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 173 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Microsoft Windows Authenticated Logged In Users Enumeration
This module uses a valid administrator username and password to enumerate users currently logged in, using a similar technique than the "psexec" utility provided by SysInternals. It uses reg.exe to query the HKU base registry key. This module requires Metasploit: https://metasploit.com/download...
FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
This module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callmepage.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callmestartcall in order to gain remote code execution. Please note in order to use this modu...
HTTP Fetch, Find Tag Ordinal Stager
Fetch and execute an x86 payload from an HTTP server. Use an established connection Module Options msf use payload/cmd/windows/http/x86/dllinject/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and set options... msf...
Bookmarked Sites Retriever
This module discovers information about a target by retrieving their bookmarked websites on Google Chrome, Opera and Microsoft Edge. Module Options msf use post/windows/gather/getbookmarks msf postgetbookmarks show actions ...actions... msf postgetbookmarks set ACTION msf postgetbookmarks show...
Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
This module exploits a command injection vulnerability CVE-2020-35578 in the /admin/monitoringplugins.php page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the apache user by uploading a...
Windows SecureCRT Session Information Enumeration
This module will determine if SecureCRT is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible, using the decryption information that HyperSine reverse...
Microsoft Windows Defender Evasive JS.Net and HTA
This module will generate an HTA file that writes and compiles a JScript.NET file containing shellcode on the target machine. After compilation, the generated EXE will execute the shellcode without interference from Windows Defender. It is recommended that you use a payload that uses RC4 or HTTPS...
Path Traversal in Oracle GlassFish Server Open Source Edition
This module exploits an unauthenticated directory traversal vulnerability which exists in administration console of Oracle GlassFish Server 4.1, which is listening by default on port 4848/TCP. This module requires Metasploit: https://metasploit.com/download Current source:...
ASUS infosvr Auth Bypass Command Execution
This module exploits an authentication bypass vulnerability in the infosvr service running on UDP port 9999 on various ASUS routers to execute arbitrary commands as root. This module launches the BusyBox Telnet daemon on the port specified in the TelnetPort option to gain an interactive remote...
Xplico Remote Code Execution
This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user. The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from ...
Kaseya VSA uploader.aspx Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory leading to arbitrary code execution with IUSR privileges. This module has been tested with Kaseya v7.0.0.17...
Windows Gather Credentials Local Administrator Password Solution
This module will recover the LAPS Local Administrator Password Solution passwords, configured in Active Directory, which is usually only accessible by privileged users. Note that the local administrator account name is not stored in Active Directory, so it is assumed to be 'Administrator' by...
HTTP Login Utility
This module attempts to authenticate to an HTTP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require 'metasploit/framework/loginscanner/http' class...
JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment method. This module requires Metasploit: https://metasploit.com/download Current...
Windows Gather Skype Saved Password Hash Extraction
This module finds saved login credentials for the Windows Skype client. The hash is in MD5 format that uses the username, a static string "\nskyper\n" and the password. The resulting MD5 is stored in the Config.xml file for the user after being XOR'd against a key generated by applying 2 SHA1...
Linux udev Netlink Local Privilege Escalation
Versions of udev 'Linux udev Netlink Local Privilege Escalation', 'Description' = %q Versions of udev MSFLICENSE, 'Author' = 'kcope', discovery 'Jon Oberheide', 95-udev-late.rules technique 'egypt' metasploit module , 'Platform' = 'linux' , 'Arch' = ARCHX86, ARCHX64 , 'SessionTypes' = 'shell',...
Support Incident Tracker Remote Command Execution
This module combines two separate issues within Support Incident Tracker 'Support Incident Tracker Remote Command Execution', 'Description' = %q This module combines two separate issues within Support Incident Tracker 'Secunia Research', Original discovery...
Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
Execute an x86 payload from a command via PowerShell. Listen for a connection Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/bindtcprc4 msf payloadbindtcprc4 show actions ...actions... msf payloadbindtcprc4 set ACTION msf payloadbindtcprc4 show options ...show and set...
Powershell Exec, Hidden Bind TCP Stager
Execute an x86 payload from a command via PowerShell. Listen for a connection from a hidden port and spawn a command shell to the allowed host. Module Options msf use payload/cmd/windows/powershell/patchupmeterpreter/bindhiddentcp msf payloadbindhiddentcp show actions ...actions... msf...
Python Exec, Command Shell, Reverse TCP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. Module Options msf use payload/cmd/unix/python/shellreversetcp msf payloadshellreversetcp show actions...
Flock Credential Gatherer
This module searches for credentials stored in Flock on a Windows host. Module Options msf use post/windows/gather/credentials/flock msf postflock show actions ...actions... msf postflock set ACTION msf postflock show options ...show and set options... msf postflock run This module requires...
Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
This module exploits a vulnerability in the getprofile.sh script of Nagios XI prior to 5.6.6 in order to upload a malicious checkping plugin and thereby execute arbitrary commands. For Nagios XI 5.2.0-5.4.13, the commands are run as the nagios user. For versions 5.5.0-5.6.5 the commands are run a...