VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager

Inject a VNC Dll via a reflective loader staged. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. This module requires Metasploit: https://metasploit.com/download Current source:...

Node.js HTTP Pipelining Denial of Service

This module exploits a Denial of Service DoS condition in the HTTP parser of Node.js versions released before 0.10.21 and 0.8.26. The attack sends many pipelined HTTP requests on a single connection, which causes unbounded memory allocation when the client does not read the responses. This module...

Linux Gather Virtual Environment Detection

This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, Bhyve and QEMU/KVM. This module requires Metasploit: https://metasploit.com/download Current source:...

D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution

This module exploits an OS Command Injection vulnerability in some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in command.php, which is accessible without authentication. This module has been tested with the versions DIR-600 2.14b01 and below, DIR-300 rev...

Windows Gather Local Admin Search

This module will identify systems in a given range that the supplied domain user should migrate into a user pid has administrative access to by using the Windows API OpenSCManagerA to establishing a handle to the remote host. Additionally it can enumerate logged in users and group membership via...

F5 BIG-IP SSH Private Key Exposure

F5 ships a public/private key pair on BIG-IP appliances that allows passwordless authentication to any other BIG-IP box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. This module requires Metasploit: https://metasploit.com/download Current...

TYPO3 sa-2009-001 Weak Encryption Key File Disclosure

This module exploits a flaw in TYPO3 encryption ey creation process to allow for file disclosure in the jumpUrl mechanism. This flaw can be used to read any file that the web server user account has access to view. This module requires Metasploit: https://metasploit.com/download Current source:...

Java Meterpreter, Java Reverse HTTP Stager

Run a meterpreter server in Java. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include Msf::Payload::Java...

Fat Player Media Player 0.6b0 Buffer Overflow

This module exploits a buffer overflow in Fat Player 0.6b. When the application is used to import a specially crafted wav file, a buffer overflow occurs allowing arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows MessageBox

Spawns a dialog via MessageBox using a customizable title, text & icon This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 231 include Msf::Payload::Windows include Msf::Payload::Singl...

Adobe PDF Escape EXE Social Engineering (No JavaScript)

This module embeds a Metasploit payload into an existing PDF file in a non-standard method. The resulting PDF can be sent to a target as part of a social engineering attack. This module requires Metasploit: https://metasploit.com/download Current source:...

KarjaSoft Sami FTP Server v2.0.2 USER Overflow

This module exploits an unauthenticated stack buffer overflow in KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long USER string during login. The payload is triggered when the administrator opens the application GUI. If the GUI window is open at the time of exploitation, the payloa...

WebSTAR FTP Server USER Overflow

This module exploits a stack buffer overflow in the logging routine of the WebSTAR FTP server. Reliable code execution is obtained by a series of hops through the System library. This module requires Metasploit: https://metasploit.com/download Current source:...

Incredimail Credential Gatherer

This module searches for Incredimail credentials on a Windows host. Module Options msf use post/windows/gather/credentials/incredimail msf postincredimail show actions ...actions... msf postincredimail set ACTION msf postincredimail show options ...show and set options... msf postincredimail run...

Office 365 User Enumeration

Enumerate valid usernames email addresses from Office 365 using ActiveSync. Differences in the HTTP Response code and HTTP Headers can be used to differentiate between: - Valid Username Response code 401 - Valid Username and Password without 2FA Response Code 200 - Valid Username and Password wit...

Print Spooler Remote DLL Injection

The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. Module Options msf use...

SAP Internet Graphics Server (IGS) XMLCHART XXE

This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers IGS running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when...

LinuxKI Toolset 6.01 Remote Command Execution

This module exploits a vulnerability in LinuxKI Toolset 'LinuxKI Toolset 6.01 Remote Command Execution', 'Description' = %q This module exploits a vulnerability in LinuxKI Toolset MSFLICENSE, 'Author' = 'Cody Winkler', discovery and poc 'numan türle' msf exploit , 'References' = 'EDB', '48483',...

QNAP QTS and Photo Station Local File Inclusion

This module exploits a local file inclusion in QNAP QTS and Photo Station that allows an unauthenticated attacker to download files from the QNAP filesystem. Because the HTTP server runs as root, it is possible to access sensitive files, such as SSH private keys and password hashes. This module h...

Micro Focus (HPE) Data Protector SUID Privilege Escalation

This module exploits the trusted $PATH environment variable of the SUID binary omniresolve in Micro Focus HPE Data Protector A.10.40 and prior. The omniresolve executable calls the oracleasm binary using a relative path and the trusted environment $PATH, which allows an attacker to execute a cust...

Metasploit msfd Remote Code Execution via Browser

Metasploit's msfd-service makes it possible to get a msfconsole-like interface over a TCP socket. This module connects to the msfd-socket through the victim's browser. To execute msfconsole-commands in JavaScript from a web application, this module places the payload in the POST-data. These...

WebKit not_number defineProperties UAF

This module exploits a UAF vulnerability in WebKit's JavaScriptCore library. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WebKit notnumber defineProperties UAF', 'Description' = %q This modu...

Command Shell, Reverse UDP (via python)

Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...

Linux Gather TOR Hidden Services

This module collects the hostnames name and private keys of any TOR Hidden Services running on the target machine. It will search for torrc and if found, will parse it for the directories of Hidden Services. However, root permissions are required to read them as they are owned by the user that TO...

Apache Struts Jakarta Multipart Parser OGNL Injection

This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cm...

Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability

This module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability...

Firefox Proxy Prototype Privileged Javascript Injection

This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability. This module requires Metasploit:...

Symantec Web Gateway 5 restore.php Post Authentication Command Injection

This module exploits a command injection vulnerability found in Symantec Web Gateway's setting restoration feature. The filename portion can be used to inject system commands into a syscall function, and gain control under the context of HTTP service. For Symantec Web Gateway 5.1.1, you can explo...

IBM Lotus Notes Sametime User Enumeration

This module extracts usernames using the IBM Lotus Notes Sametime web interface using either a dictionary attack which is preferred, or a bruteforce attack trying all usernames of MAXDEPTH length or less. This module requires Metasploit: https://metasploit.com/download Current source:...

VMWare Setuid vmware-mount Unsafe popen(3)

VMWare Workstation up to and including 9.0.2 build-1031769 and Player have a setuid executable called vmware-mount that invokes lsbrelease in the PATH with popen3. Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an...

TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability

This module tests whether a directory traversal vulnerability is present in versions of TP-Link Access Point 3.12.16 Build 120228 Rel.37317n. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow

This module exploits a heap overflow found in InduSoft Web Studio HttpClients::IE, :uaminver = "6.0", :uamaxver = "9.0", :javascript = true, :osname = OperatingSystems::Match::WINDOWS, :rank = NormalRanking, :classid = "3c9dff6f-5cb0-422e-9978-d6405d10718f", :method = "InternationalSeparator" def...

SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering

This module makes use of the RFCSYSTEMINFO Function to obtain the operating system version, SAP version, IP address and other information through the use of the /sap/bc/soap/rfc SOAP service. This module requires Metasploit: https://metasploit.com/download Current source:...

NTP Clock Variables Disclosure

This module reads the system internal NTP variables. These variables contain potentially sensitive information, such as the NTP software version, operating system version, peers, and more. This module requires Metasploit: https://metasploit.com/download Current source:...

NTR ActiveX Control StopModule() Remote Code Execution

This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The vulnerability exists in the StopModule method, where the lModule parameter is used to dereference memory to get a function pointer, which leads to code execution under the context of the user visiting a malicious web page...

Generic HTTP Directory Traversal Utility

This module allows you to test if a web server or web application is vulnerable to directory traversal with three different actions. The 'CHECK' action default is used to automatically or manually find if directory traversal exists in the web server, and then return the path that triggers the...

Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass

This will add an administrative account to Scrutinizer NetFlow and sFlow Analyzer without any authentication. Versions such as 9.0.1 or older are affected. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

DaqFactory HMI NETB Request Overflow

This module exploits a stack buffer overflow in Azeotech's DaqFactory product. The specific vulnerability is triggered when sending a specially crafted 'NETB' request to port 20034. Exploitation of this vulnerability may take a few seconds due to the use of egghunter. This vulnerability was one o...

Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution

This module exploits a flaw 0 day in DBMSJVMEXPPERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 Windows only This module requires Metasploit: https://metasploit.com/download...

HTTPDX tolog() Function Format String Vulnerability

This module exploits a format string vulnerability in HTTPDX HTTP server. By sending a specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP. This...

Unix Command Shell, Bind TCP (via netcat)

Listen for a connection and spawn a command shell via netcat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include...

Iomega StorCenter Pro NAS Web Authentication Bypass

The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs, allowing for simple brute force attacks to bypass authentication and gain administrative access. This module requires Metasploit: https://metasploit.com/download Current source:...

Generic Command Nop Generator

Generates harmless padding for command payloads. Module Options msf use nop/cmd/generic msf nopgeneric show actions ...actions... msf nopgeneric set ACTION msf nopgeneric show options ...show and set options... msf nopgeneric run This module requires Metasploit: https://metasploit.com/download...

Atlassian Confluence WebWork OGNL Injection

This module exploits an OGNL injection in Atlassian Confluence's WebWork component to execute commands as the Tomcat user. Module Options msf use exploit/linux/http/atlassianconfluencewebworkognlinjection msf exploitatlassianconfluencewebworkognlinjection show targets ...targets... msf...

SaltStack Salt REST API Arbitrary Command Execution

This module exploits an authentication bypass and command injection in SaltStack Salt's REST API to execute commands as the root user. The following versions have received a patch: 2015.8.10, 2015.8.13, 2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 2016.11.10, 2017.7.4, 2017.7.8, 2018.3.5,...

IBM Data Risk Manager Arbitrary File Download

IBM Data Risk Manager IDRM contains two vulnerabilities that can be chained by an unauthenticated attacker to download arbitrary files off the system. The first is an unauthenticated bypass, followed by a path traversal. This module exploits both vulnerabilities, giving an attacker the ability to...

Unix Command Shell, Reverse TCP (via jjs)

Connect back and create a command shell via jjs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 863 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...

Microsoft Windows Contact File Format Arbitary Code Execution

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact...

CyberLink LabelPrint 2.5 Stack Buffer Overflow

This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below. The vulnerability is triggered when opening a .lpp project file containing overly long string characters via open file menu. This results in overwriting a structured exception handler record and take over the...

Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow

This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially crafted packets. This module has been tested successfully on Delta Electronics Delta Industrial Automation COMMGR 1.08 ov...