6847 matches found
NTDS Grabber
This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller. It compresses all these files in a cabinet file called All.cab. This module requires Metasploit: https://metasploit.com/download Current source:...
Adobe Flash Player ByteArray Use After Free
This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows 7 SP1 32-bit,...
Cisco SSL VPN Bruteforce Login Utility
This module scans for Cisco SSL VPN web login portals and performs login brute force to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco SSL VPN Bruteforce Logi...
Windows Manage Change Password
This module will attempt to change the password of the targeted account. The typical usage is to change a newly created account's password on a remote host to avoid the error, 'System error 1907 has occurred,' which is caused when the account policy enforces a password change before the next logi...
Persistent Payload in Windows Volume Shadow Copy
This module will attempt to create a persistent payload in a new volume shadow copy. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. This module has been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY option, the user shoul...
Setuid Tunnelblick Privilege Escalation
This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient validation of path names allows execution of arbitrary shell scripts as root. This module has been tested successfully on Tunnelblick 3.2.8 build...
Unix Command Shell, Reverse TCP SSL (via python)
Creates an interactive shell via python, uses SSL, encodes with base64 by design. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include...
SAP Service Discovery
Scans for listening SAP services. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Service Discovery', 'Description' = %q Scans for listening SAP services. , 'References' = General 'URL',...
Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation
This module exploits the keyboard layout vulnerability exploited by Stuxnet. When processing specially crafted keyboard layout files DLLs, the Windows kernel fails to validate that an array index is within the bounds of the array. By loading a specially crafted keyboard layout, an attacker can...
Apache Win32 Chunked Encoding
This module exploits the chunked transfer integer wrap vulnerability in Apache version 1.2.x to 1.3.24. This particular module has been tested with all versions of the official Win32 build between 1.3.9 and 1.3.24. Additionally, it should work against most co-branded and bundled versions of Apach...
MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow
This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 Server and Professional SP0-SP1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely...
HTTP Fetch, Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)
Fetch and execute an x86 payload from an HTTP server. Custom shellcode stage. Tunnel communication over HTTP Windows winhttp Module Options msf use payload/cmd/windows/http/x86/custom/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf...
Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)
Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/meterpreter/reverseordtcp msf payloadreverseordtcp show actions ...actions... msf payloadreverseordtcp set ACTION msf payloadreverseordtcp show options ...show...
Advantech iView Unauthenticated Remote Code Execution
This module exploits an unauthenticated configuration change combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM. This issue was demonstrated in the...
TeamViewer Unquoted URI Handler SMB Redirect
This module exploits an unquoted parameter call within the Teamviewer URI handler to create an SMB connection to an attacker controlled IP. TeamViewer use auxiliary/server/teamviewerurismbredirect msf auxiliaryteamviewerurismbredirect show actions ...actions... msf auxiliaryteamviewerurismbredire...
Ricoh Driver Privilege Escalation
Various Ricoh printer drivers allow escalation of privileges on Windows systems. For vulnerable drivers, a low-privileged user can read/write files within the RICOHDRV directory and its subdirectories. PrintIsolationHost.exe, a Windows process running as NT AUTHORITY\SYSTEM, loads driver-specific...
Solaris RSH Stack Clash Privilege Escalation
This module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This module uploads and executes...
AlienVault OSSIM/USM Remote Code Execution
This module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together. Unauthenticated users can execute arbitrary commands under the context of the root user. By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection...
Cisco WebEx Chrome Extension RCE (CVE-2017-3823)
This module exploits a vulnerability present in the Cisco WebEx Chrome Extension version 1.0.1 which allows an attacker to execute arbitrary commands on a system. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
AD Computer, Group and Recursive User Membership to Local SQLite DB
This module will gather a list of AD groups, identify the users taking into account recursion and write this to a SQLite database for offline analysis and query using normal SQL syntax. This module requires Metasploit: https://metasploit.com/download Current source:...
Chkrootkit Local Privilege Escalation
Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privilege escalation. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default. This module requires Metasploit: https://metasploit.com/download Current source:...
MSSQL Login Utility
This module simply queries the MSSQL instance for a specific user/pass default is sa with blank. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...
Windows Domain Controller Hashdump
This module attempts to copy the NTDS.dit database from a live Domain Controller and then parse out all of the User Accounts. It saves all of the captured password hashes, including historical ones. This module requires Metasploit: https://metasploit.com/download Current source:...
JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment
This module uses the DeploymentFileRepository class in the JBoss Application Server to deploy a JSP file which then deploys an arbitrary WAR file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
NTP Mode 7 PEER_LIST DoS Scanner
This module identifies NTP servers which permit "PEERLIST" queries and return responses that are larger in size or greater in quantity than the request, allowing remote attackers to cause a distributed, reflected denial of service aka, "DRDoS" or traffic amplification via spoofed requests. This...
ibstat $PATH Privilege Escalation
This module exploits the trusted $PATH environment variable of the SUID binary "ibstat". This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ibstat $PATH Privilege Escalation', 'Description' = %q...
Windows Command Shell, Reverse TCP (via Powershell)
Connect back and create a command shell via Powershell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 1588 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions...
Windows Gather Local and Domain Controller Account Password Hashes
This will dump local accounts from the SAM Database. If the target host is a Domain Controller, it will dump the Domain Account Database using the proper technique depending on privilege level, OS and role of the host. This module requires Metasploit: https://metasploit.com/download Current sourc...
SAP /sap/bc/soap/rfc SOAP Service RFC_READ_TABLE Function Dump Data
This module makes use of the RFCREADTABLE Function to read data from tables using the /sap/bc/soap/rfc SOAP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on, inspired by, or is a port o...
Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
Mozilla Firefox before version 41 allowed users to install unsigned browser extensions from arbitrary web servers. This module dynamically creates an unsigned .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page. The victim's Firefox browser will pop...
Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution
This module exploits a flaw 0 day in DBMSJVMEXPPERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 11g R1 and R2 Windows only. This module requires Metasploit: https://metasploit.com/download Current...
HTTP Verb Authentication Bypass Scanner
This module test for authentication bypass using different HTTP verbs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Verb Authentication Bypass Scanner', 'Description' = %q This module...
Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
Execute an x86 payload from a command via PowerShell. Connect back to the attacker Module Options msf use payload/cmd/windows/powershell/patchupdllinject/reversetcprc4dns msf payloadreversetcprc4dns show actions ...actions... msf payloadreversetcprc4dns set ACTION msf payloadreversetcprc4dns show...
Libuser roothelper Privilege Escalation
This module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This module makes use of the roothelper.c exploit...
TYPO3 News Module SQL Injection
This module exploits a SQL Injection vulnerability In TYPO3 NewsController.php in the news module 5.3.2 and earlier. It allows an unauthenticated user to execute arbitrary SQL commands via vectors involving overwriteDemand and OrderByAllowed. The SQL injection can be used to obtain password hashe...
Windows WMI Receive Notification Exploit
This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl. This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64. This module requires Metasploit: https://metasploit.com/download Current source:...
Regsvr32.exe (.sct) Application Whitelisting Bypass Server
This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This...
Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
This module acts as a simplistic administrative client for interfacing with Veeder-Root Automatic Tank Gauges ATGs or other devices speaking the TLS-250 and TLS-350 protocols. This has been tested against GasPot and Conpot, both honeypots meant to simulate ATGs; it has not been tested against...
MySQL Login Utility
This module simply queries the MySQL instance for a specific user/pass default is root with blank. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...
MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape
This module abuses a process creation policy in Internet Explorer's sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the Protected Mode and execute code with Medium Integrity. At the moment, this...
Windows Gather Active Directory Users
This module will enumerate user accounts in the default Active Domain AD directory and stores them in the database. If GROUPMEMBER is set to the DN of a group, this will list the members of that group by performing a recursive/nested search i.e. it will list users who are members of groups that a...
ElasticSearch Dynamic Script Arbitrary Java Execution
This module exploits a remote command execution RCE vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the REST API, which does not require authentication, where the search function allows dynamic scripts execution. It can be used for remot...
OSX Capture Userspace Keylogger
Logs all keyboard events except cmd-keys and GUI password input. Keylogs are transferred between client/server in chunks every SYNCWAIT seconds for reliability. Works by calling the Carbon GetKeys hook using the DL lib in OSX's system Ruby. The Ruby code is executed in a shell command using -e, s...
SAP Web GUI Login Brute Forcer
This module attempts to brute force SAP username and passwords through the SAP Web GUI service. Default clients can be tested without needing to set a CLIENT. Common and default user/password combinations can be tested just setting the DEFAULTCRED variable to true. The...
Windows Escalate Task Scheduler XML Privilege Escalation
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that...
OP5 welcome Remote Command Execution
This module exploits an arbitrary root command execution vulnerability in OP5 Monitor welcome. Ekelow AB has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable. This module requires Metasploit: https://metasploit.com/download Current source:...
MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is...
Typo3 sa-2009-002 File Disclosure
This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to. This module requires Metasploit: https://metasploit.com/download Current source:...
Microweber CMS v1.2.10 Local File Inclusion (Authenticated)
Microweber CMS v1.2.10 has a backup functionality. Upload and download endpoints can be combined to read any file from the filesystem. Upload function may delete the local file if the web service user has access. Module Options msf use auxiliary/gather/microweberlfi msf auxiliarymicroweberlfi sho...
Comodo Credential Gatherer
This module searches for credentials stored in Comodo on a Windows host. Module Options msf use post/windows/gather/credentials/comodo msf postcomodo show actions ...actions... msf postcomodo set ACTION msf postcomodo show options ...show and set options... msf postcomodo run This module requires...