6846 matches found
Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
This module acts as a simplistic administrative client for interfacing with Veeder-Root Automatic Tank Gauges ATGs or other devices speaking the TLS-250 and TLS-350 protocols. This has been tested against GasPot and Conpot, both honeypots meant to simulate ATGs; it has not been tested against...
NTP "NAK to the Future"
Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This module sends these Crypto-NAK packets in order to establish an association between the target ntpd instance and t...
Multi Recon Local Exploit Suggester
This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It's important to note that not all local exploits will be fired. Exploits are...
Adobe Flash Player Shader Buffer Overflow
This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on the following operating...
VMware Server Directory Traversal Vulnerability
This modules exploits the VMware Server Directory Traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 a...
MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
This module exploits a vulnerability found in Windows Object Linking and Embedding OLE allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8,...
Windows TrackPopupMenu Win32k NULL Pointer Dereference
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested...
HP Operations Manager Perfd Environment Scanner
This module will enumerate the process list of a remote machine by abusing HP Operation Manager's unauthenticated 'perfd' daemon. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HP Operations...
JBoss JMX Console Beanshell Deployer WAR Upload and Deployment
This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment method. This module requires Metasploit: https://metasploit.com/download Current...
Cerberus FTP Server SFTP Username Enumeration
This module uses a dictionary to brute force valid usernames from Cerberus FTP server via SFTP. This issue affects all versions of the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy in the way the SSH service handles failed logins for valid and invalid users. This issue was...
Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow
This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngxhttpparsechunked by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a sta...
AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass
This module exploits a vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing to achieve Medium Integrity...
MS12-020 Microsoft Remote Desktop Checker
This module checks a range of hosts for the MS12-020 vulnerability. This does not cause a DoS on the target. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MS12-020 Microsoft Remote Desktop...
SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Injection
This module makes use of the SXPGCALLSYSTEM Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is...
Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow
This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a specially crafted .otf font file with a large nTables value in the 'kern' header, it is possible to trigger an integer overflow, which results in remote code execution und...
Telnet Service Encryption Key ID Overflow Detection
Detect telnet services vulnerable to the encrypt option Key ID overflow BSD-derived telnetd This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Telnet Service Encryption Key ID Overflow Detection',...
Microsoft IIS FTP Server LIST Stack Exhaustion
This module triggers Denial of Service condition in the Microsoft Internet Information Services IIS FTP Server 5.0 through 7.0 via a list ls -R command containing a wildcard. For this exploit to work in most cases, you need 1 a valid ftp account: either read-only or write-access account 2 the "FT...
Windows Gather Screen Spy
This module will incrementally take desktop screenshots from the host. This allows for screen spying which can be useful to determine if there is an active user on a machine, or to record the screen for later data extraction. Note: As of March, 2014, the VIEWCMD option has been removed in favor o...
Windows Gather Bitcoin Wallet
This module downloads any Bitcoin wallet files from the target system. It currently supports both the classic Satoshi wallet and the more recent Armory wallets. Note that Satoshi wallets tend to be unencrypted by default, while Armory wallets tend to be encrypted by default. This module requires...
Windows Gather SMB Share Enumeration via Registry
This module will enumerate configured and recently used file shares. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather SMB Share Enumeration via Registry', 'Description' = %q This...
TWiki History TWikiUsers rev Parameter Command Execution
This module exploits a vulnerability in the history component of TWiki. By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands. This module requires Metasploit: https://metasploit.com/download Current source:...
HTTP Verb Authentication Bypass Scanner
This module test for authentication bypass using different HTTP verbs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Verb Authentication Bypass Scanner', 'Description' = %q This module...
Java JSP Command Shell, Bind TCP Inline
Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 1593 include Msf::Payload::Single include Msf::Payload::JSP include...
HTTP Fetch, Find Tag Ordinal Stager
Fetch and execute an x86 payload from an HTTP server. Use an established connection Module Options msf use payload/cmd/windows/http/x86/dllinject/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options ...show and set options... msf...
Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP Windows x64 wininet Module Options msf use payload/cmd/windows/powershell/x64/custom/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf...
LINE Credential Gatherer
This module searches for credentials in LINE desktop application on a Windows host. LINE is the most popular Instant Messenger app in Japan. Module Options msf use post/windows/gather/credentials/line msf postline show actions ...actions... msf postline set ACTION msf postline show options ...sho...
DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation
This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the ServerLevelPluginDll value using dnscmd.exe to create a registry key at HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ named ServerLevelPluginDll that can be made to point to an...
Mikrotik Gather Device General Information
This module collects Mikrotik device information and configuration. This module has been tested against RouterOS 6.45.9. Module Options msf use post/networking/gather/enummikrotik msf postenummikrotik show actions ...actions... msf postenummikrotik set ACTION msf postenummikrotik show options...
Bludit Directory Traversal Image File Upload Vulnerability
This module exploits a vulnerability in Bludit. A remote user could abuse the uuid parameter in the image upload feature in order to save a malicious payload anywhere onto the server, and then use a custom .htaccess file to bypass the file extension check to finally get remote code execution. Thi...
Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry
This module exploits a flaw in the WSReset.exe file associated with the Windows Store. This binary has autoelevate privs, and it will run a binary file contained in a low-privilege registry location. By placing a link to the binary in the registry location, WSReset.exe will launch the binary as a...
Mac OS X Feedback Assistant Race Condition
This module exploits a race condition vulnerability in Mac's Feedback Assistant. A successful attempt would result in remote code execution under the context of root. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Apply Pot File To Hashes
This module uses a John the Ripper or Hashcat .pot file to crack any password hashes in the creds database instantly. JtR's --show functionality is used to help combine all the passwords into an easy to use format. This module requires Metasploit: https://metasploit.com/download Current source:...
Nuuo Central Management Authenticated SQL Server SQLi
The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xpcmdshell can be enabled and abused to achieve code execution. This module will...
Apport / ABRT chroot Privilege Escalation
This module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace "container". Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing t...
WordPress Symposium Plugin SQL Injection
This module exploits a SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress, which allows remote attackers to extract credentials via the size parameter to getalbumitem.php. This module requires Metasploit: https://metasploit.com/download Current source:...
SysAid Help Desk Arbitrary File Download
This module exploits two vulnerabilities in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. First, an information disclosure vulnerability CVE-2015-2997 is used to obtain the file system path, and then we abuse a directory traversal CVE-2015-2996 ...
Java JMX Server Insecure Configuration Java Code Execution
This module takes advantage a Java JMX interface insecure configuration, which would allow loading classes from any remote HTTP URL. JMX interfaces with authentication disabled com.sun.management.jmxremote.authenticate=false should be vulnerable, while interfaces with authentication enabled will ...
OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the VMWare Fusion application, allowing an unprivileged local user to get root access. This module requires Metasploit: https://metasploit.com/download Curre...
SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXEC Function Command Injection
This module makes use of the SXPGCOMMANDEXEC Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module i...
MS11-080 AfdJoinLeaf Privilege Escalation
This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then...
Schneider Modicon Quantum Password Recovery
The Schneider Modicon Quantum series of Ethernet cards store usernames and passwords for the system in files that may be retrieved via backdoor access. This module is based on the original 'modiconpass.rb' Basecamp module from DigitalBond. This module requires Metasploit:...
General Electric D20 Password Recovery
The General Electric D20ME and possibly other units D200? feature TFTP readable configurations with plaintext passwords. This module retrieves the username, password, and authentication level list. This module requires Metasploit: https://metasploit.com/download Current source:...
Serv-U FTP Server Buffer Overflow
This module exploits a stack buffer overflow in the site chmod command in versions of Serv-U FTP Server prior to 4.2. You must have valid credentials to trigger this vulnerability. Exploitation also leaves the service in a non-functional state. This module requires Metasploit:...
MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is...
Operamail Credential Gatherer
This module searches for Operamail credentials on a Windows host. Module Options msf use post/windows/gather/credentials/operamail msf postoperamail show actions ...actions... msf postoperamail set ACTION msf postoperamail show options ...show and set options... msf postoperamail run This module...
Aim Credential Gatherer
This module searches for Aim credentials on a Windows host. Module Options msf use post/windows/gather/credentials/aim msf postaim show actions ...actions... msf postaim set ACTION msf postaim show options ...show and set options... msf postaim run This module requires Metasploit:...
Digsby Credential Gatherer
This module searches for Digsby credentials on a Windows host. Module Options msf use post/windows/gather/credentials/digsby msf postdigsby show actions ...actions... msf postdigsby set ACTION msf postdigsby show options ...show and set options... msf postdigsby run This module requires Metasploi...
Miranda Credential Gatherer
This module searches for Miranda credentials on a Windows host. Module Options msf use post/windows/gather/credentials/miranda msf postmiranda show actions ...actions... msf postmiranda set ACTION msf postmiranda show options ...show and set options... msf postmiranda run This module requires...
Multiplatform Installed Software Version Enumerator
This module, when run against a compromised machine, will gather details on all installed software, including their versions and if available, when they were installed, and will save it into a loot file for later use. Users can then use this loot file to determine what additional vulnerabilites m...
Schneider Electric Pelco Endura NET55XX Encoder
This module exploits inadequate access controls within the webUI to enable the SSH service and change the root password. This module has been tested successfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions. This module requires Metasploit:...