Nagios XI Magpie_debug.php Root Remote Code Execution

This module exploits two vulnerabilities in Nagios XI 'Nagios XI Magpiedebug.php Root Remote Code Execution', 'Description' = %q This module exploits two vulnerabilities in Nagios XI MSFLICENSE, 'Author' = 'Chris Lyne @lynerc', Discovery and exploit 'Guillaume André @yaumn', Metasploit module...

Amazon Web Services S3 instance enumeration

Provided AWS credentials, this module will call the authenticated API of Amazon Web Services to list all S3 buckets associated with the account This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'aws-sdk-s3' clas...

Windows Escalate UAC Protection Bypass (Via SilentCleanup)

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir%...

Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86

This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling...

Atlassian Confluence Widget Connector Macro Velocity Template Injection

Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is...

Oracle Weblogic Server Deserialization RCE - MarshalledObject

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object weblogic.corba.utils.MarshalledObject to the interface to execute code on vulnerable hosts. This module requires Metasploit: https://metasploit.com/download Current source:...

Microsoft IIS shortname vulnerability scanner

The vulnerability is caused by a tilde character "" in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames short names. In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug GET request. This was publicly disclosed in 2012. In 2014, Soroush...

BADPDF Malicious PDF Creator

This module can either creates a blank PDF file which contains a UNC link which can be used to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary code into an existing PDF document if possible. This module requires Metasploit:...

Web browsers HSTS entries eraser

This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox, Google Chrome, Opera, Safari and wget. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Web browse...

Postfixadmin Protected Alias Deletion Vulnerability

Postfixadmin installations between 2.91 and 3.0.1 do not check if an admin is allowed to delete protected aliases. This vulnerability can be used to redirect protected aliases to an other mail address. Eg. rewrite the postmaster@domain alias This module requires Metasploit:...

Regsvr32.exe (.sct) Application Whitelisting Bypass Server

This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This...

Rejetto HttpFileServer Remote Command Execution

Rejetto HttpFileServer HFS is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP...

PostgreSQL Login Utility

This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. Note that passwords may be either plaintext or MD5 formatted hashes. This module requires Metasploit:...

Nvidia (nvsvc) Display Driver Service Local Privilege Escalation

The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to interact with the service. It contains a stacked based buffer overflow as a result of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe', the service name is 'nvsvc', and the name...

Interactive Graphical SCADA System Remote Command Injection

This module abuses a directory traversal flaw in Interactive Graphical SCADA System v9.00. In conjunction with the traversal flaw, if opcode 0x17 is sent to the dc.exe process, an attacker may be able to execute arbitrary system commands. This module requires Metasploit:...

KingView Log File Parsing Buffer Overflow

This module exploits a vulnerability found in KingView "KingView Log File Parsing Buffer Overflow", 'Description' = %q This module exploits a vulnerability found in KingView MSFLICENSE, 'Author' = 'Lucas Apa', Vulnerability discovery 'Carlos Mario Penagos Hollman', Vulnerability discovery...

Portable UPnP SDK unique_service_name() Remote Code Execution

This module exploits a buffer overflow in the uniqueservicename function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this...

NetDecision 4.2 TFTP Directory Traversal

This modules exploits a directory traversal vulnerability in NetDecision 4.2 TFTP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "NetDecision 4.2 TFTP Directory Traversal", 'Descriptio...

Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential

This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer. By default, the software installs a default password in MySQL, and binds the service to "0.0.0.0". This allows any remote user to login to MySQL, and then gain arbitrary remote code execution under the context of...

HP Data Protector Create New Folder Buffer Overflow

This module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this...

Windows Gather Generic File Collection

This module downloads files recursively based on the FILEGLOBS option. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Generic File Collection', 'Description' = %q This module...

Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)

This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...

Java AtomicReferenceArray Type Violation Vulnerability

This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform maliciou...

MS06-066 Microsoft Services nwapi32.dll Module Exploit

This module exploits a stack buffer overflow in the svchost service when the netware client service is running. This specific vulnerability is in the nwapi32.dll module. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

IMail LDAP Service Buffer Overflow

This exploits a buffer overflow in the LDAP service that is part of the IMail product. This module was tested against version 7.10 and 8.5, both running on Windows 2000. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Internet Explorer Credential Gatherer

This module searches for Internet Explorer credentials on a Windows host. Module Options msf use post/windows/gather/credentials/ie msf postie show actions ...actions... msf postie set ACTION msf postie show options ...show and set options... msf postie run This module requires Metasploit:...

Gadugadu Credential Gatherer

This module searches for Gadugadu credentials on a Windows host. Gadu-Gadu is a Polish instant messaging client using a proprietary protocol. Gadu-Gadu was the most popular IM service in Poland. Module Options msf use post/windows/gather/credentials/gadugadu msf postgadugadu show actions...

TrixBox CE endpoint_devicemap.php Authenticated Command Execution

This module exploits an authenticated OS command injection vulnerability found in Trixbox CE version 1.2.0 to 2.8.0.4 inclusive in the "network" POST parameter of the "/maint/modules/endpointcfg/endpointdevicemap.php" page. Successful exploitation allows for arbitrary command execution on the...

Foxit PDF Reader Pointer Overwrite UAF

Foxit PDF Reader v9.0.1.1049 has a Use-After-Free vulnerability in the Text Annotations component and the TypedArray's use uninitialized pointers. The vulnerabilities can be combined to leak a vtable memory address, which can be adjusted to point to the base address of the executable. A ROP chain...

WMI Exec

A similar approach to psexec but executing commands through WMI. !/usr/bin/env python3 Copyright c 2003-2018 CORE Security Technologies This software is provided under under a slightly modified version of the Apache Software License. See the accompanying LICENSE file for more information. import...

SSH Public Key Login Scanner

This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single...

Symantec Messaging Gateway Remote Code Execution

This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a terminal command under the context of the web server user which is root. backupNow.do endpoint takes several user inputs and then pass them to the internal service...

Allwinner 3.4 Legacy Kernel Local Privilege Escalation

This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4. Vulnerable OS: all OS images available for Orange Pis, any for FriendlyARM's NanoPi M1, SinoVoip's M2+ and M3, Cuebietech'...

Drupal CODER Module Remote Command Execution

This module exploits a Remote Command Execution vulnerability in the Drupal CODER Module. Unauthenticated users can execute arbitrary commands under the context of the web server user. The CODER module doesn't sufficiently validate user inputs in a script file that has the PHP extension. A...

MSSQL Login Utility

This module simply queries the MSSQL instance for a specific user/pass default is sa with blank. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...

Malicious Git and Mercurial HTTP Server For CVE-2014-9390

This module exploits CVE-2014-9390, which affects Git versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1 and Mercurial versions less than 3.2.3 and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be...

Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Scanner

This module scans for HTTP servers that appear to be vulnerable to the 'Misfortune Cookie' vulnerability which affects Allegro Software Rompager versions before 4.34 and can allow attackers to authenticate to the HTTP service as an administrator without providing valid credentials. This module...

WordPress custom-contact-forms Plugin SQL Upload

The WordPress custom-contact-forms plugin 'WordPress custom-contact-forms Plugin SQL Upload', 'Description' = %q The WordPress custom-contact-forms plugin 'Marc-Alexandre Montpas', Vulnerability discovery 'Christian Mehlmauer' Metasploit module , 'License' = MSFLICENSE, 'References' = 'URL',...

ElasticSearch Indices Enumeration Utility

This module enumerates ElasticSearch Indices. It uses the REST API in order to make it...

Windows TrackPopupMenuEx Win32k NULL Page

This module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This module has been tested successfully on Windows 7 SP0 and Windows 7 SP1. This module requires Metasploit: https://metasploit.com/downlo...

Cisco ASA ASDM Bruteforce Login Utility

This module scans for Cisco ASA ASDM web login portals and performs login brute force to identify valid credentials...

freeFTPd PASS Command Buffer Overflow

freeFTPd 1.0.10 and below contains an overflow condition that is triggered as user-supplied input is not properly validated when handling a specially crafted PASS command. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or allow the execution of...

MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow

This module can be used to execute arbitrary code on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components MDAC Remote Data Service RDS DataFactory service. The service is exploitable even when RDS is configured to deny remote connections handsafe.reg. The service is...

Microsoft SQL Server Payload Execution via SQL Injection

This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xpcmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection...

MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection

A heap-based buffer overflow can occur when calling the undocumented "spreplwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine MSDE without the updates supplied in MS09-00...

Free Download Manager Torrent Parsing Buffer Overflow

This module exploits a stack buffer overflow in Free Download Manager 3.0 Build 844. Arbitrary code execution could occur when parsing a specially crafted torrent file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

PHP Command Shell, Reverse TCP (via PHP)

Reverse PHP connect back shell with checks for disabled functions This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Php...

Python Exec, Python Meterpreter Shell, Reverse HTTP Inline

Execute a Python payload as an OS command from a Posix-compatible shell. Connect back to the attacker and spawn a Meterpreter shell Module Options msf use payload/cmd/unix/python/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp...

Kubernetes Enumeration

Enumerate a Kubernetes API to report useful resources such as available namespaces, pods, secrets, etc. Useful resources will be highlighted using the HIGHLIGHTNAMEPATTERN option. Module Options msf use auxiliary/cloud/kubernetes/enumkubernetes msf auxiliaryenumkubernetes show actions ...actions...

Postbox Credential Gatherer

This module searches for Postbox credentials on a Windows host. Module Options msf use post/windows/gather/credentials/postbox msf postpostbox show actions ...actions... msf postpostbox set ACTION msf postpostbox show options ...show and set options... msf postpostbox run This module requires...