6846 matches found
IBM Data Risk Manager Arbitrary File Download
IBM Data Risk Manager IDRM contains two vulnerabilities that can be chained by an unauthenticated attacker to download arbitrary files off the system. The first is an unauthenticated bypass, followed by a path traversal. This module exploits both vulnerabilities, giving an attacker the ability to...
Unix Command Shell, Reverse TCP (via jjs)
Connect back and create a command shell via jjs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 863 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Microsoft Windows Contact File Format Arbitary Code Execution
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact...
CyberLink LabelPrint 2.5 Stack Buffer Overflow
This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below. The vulnerability is triggered when opening a .lpp project file containing overly long string characters via open file menu. This results in overwriting a structured exception handler record and take over the...
Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially crafted packets. This module has been tested successfully on Delta Electronics Delta Industrial Automation COMMGR 1.08 ov...
TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection
TrueOnline is a major ISP in Thailand, and it distributes a customized version of the Billion 5200W-T router. This customized version has at least two command injection vulnerabilities, one authenticated and one unauthenticated, on different firmware versions. This module will attempt to exploit...
Linux ARM Big Endian Command Shell, Bind TCP Inline
Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 118 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Arris / Motorola Surfboard SBG6580 Web Interface Takeover
The web interface for the Arris / Motorola Surfboard SBG6580 has several vulnerabilities that, when combined, allow an arbitrary website to take control of the modem, even if the user is not currently logged in. The attacker must successfully know, or guess, the target's internal gateway IP...
WordPress WP EasyCart Plugin Privilege Escalation
The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated users of any user level to set any system option via a lack of validation in the ecajaxupdateoption and ecajaxclearalltaxrates functions located in /inc/admin/adminajaxfunctions.php. The module first changes the...
Linux PolicyKit Race Condition Privilege Escalation
A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. Those vulnerable include RHEL6 prior to...
Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an exposedProps property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With...
Apache Roller OGNL Injection
This module exploits an OGNL injection vulnerability in Apache Roller 'Apache Roller OGNL Injection', 'Description' = %q This module exploits an OGNL injection vulnerability in Apache Roller 'Unknown', From coverity.com / Vulnerability discovery 'juan vazquez' Metasploit module , 'License' =...
OpenMediaVault Cron Remote Command Execution
OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system. An attacker can abuse this to run arbitrary commands as any user available on the system including root. This module requires Metasploit: https://metasploit.com/download Current source:...
HP Intelligent Management Center BIMS UploadServlet Directory Traversal
This module exploits a directory traversal vulnerability on the version 5.2 of the BIMS component from the HP Intelligent Management Center. The vulnerability exists in the UploadServlet, allowing the user to download and upload arbitrary files. This module has been tested successfully on HP...
Linux Command Shell, Bind TCP Random Port Inline
Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 51...
Windows Gather Microsoft Office Word UNC Path Injector
This module modifies a remote .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used. This module requires Metasploit:...
Unix Command Shell, Reverse TCP SSL (telnet)
Creates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the '-z' option included on some systems to encrypt using SSL. This module requires Metasploit: https://metasploit.com/download Current source:...
Microsoft Windows Deployment Services Unattend Gatherer
This module will search remote file shares for unattended installation files that may contain domain credentials. This is often used after discovering domain credentials with the auxiliary/scanner/dcerpc/windowsdeploymentservices module or in cases where you already have domain credentials. This...
Ruby on Rails XML Processor YAML Deserialization Scanner
This module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the XML request processor. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ruby ...
Windows Gather Google Chrome User Data Enumeration
This module will collect user data from Google Chrome and attempt to decrypt sensitive information. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Google Chrome User Data...
ARP Spoof
Spoof ARP replies and poison remote ARP caches to conduct IP address spoofing or a denial of service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ARP Spoof', 'Description' = %q Spoof ARP...
Windows Escalation
This module uses the getsystem command to escalate the current session to the SYSTEM account using various techniques. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasm' class MetasploitModule 'Windows...
Windows Gather Credentials IMVU Game Client
This module extracts account username & password from the IMVU game client and stores it as loot. -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Credentials...
Windows Capture Winlogon Lockout Credential Keylogger
This module migrates and logs Microsoft Windows user's passwords via Winlogon.exe using idle time and natural system changes to give a false sense of security to the user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...
Windows Gather Enumerate Domain Group
This module extracts user accounts from the specified domain group and stores the results in the loot. It will also verify if session account is in the group. Data is stored in loot in a format that is compatible with the tokenhunter plugin. This module must be run on a session running as a domai...
Linux Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 172 include Msf::Payload::Single include Msf::Payload::Linux::Armle::Prepends...
Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow
This module exploits a buffer overflow in Apple QuickTime 7.6.6. When processing a malformed SMIL uri, a stack-based buffer overflow can occur when logging an error message. This module requires Metasploit: https://metasploit.com/download Current source:...
Microsoft Help Center XSS and Command Execution
Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of input to hcp:// combined with a...
Novell iPrint Client ActiveX Control target-frame Buffer Overflow
This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing an overly long string via the "target-frame" parameter to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this vulnerability...
Wardialer
Scan for dial-up systems that are connected to modems and answer telephony indials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' Extend Object class to include savetofile and loadfromfile methods cla...
MS06-013 Microsoft Internet Explorer createTextRange() Code Execution
This module exploits a code execution vulnerability in Microsoft Internet Explorer. Both IE6 and IE7 Beta 2 are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent...
Novell iPrint Client ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Novell iPrint Client 4.34. When sending an overly long string to the GetDriverSettings property of ienipp.ocx an attacker may be able to execute arbitrary code. -- coding: binary -- This module requires Metasploit: https://metasploit.com/download...
MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. This module...
Unix Command Shell, Reverse TCP (via Perl)
Creates an interactive shell via perl This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 234 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo...
Maxthon Credential Gatherer
This module searches for Maxthon credentials on a Windows host. Module Options msf use post/windows/gather/credentials/maxthon msf postmaxthon show actions ...actions... msf postmaxthon set ACTION msf postmaxthon show options ...show and set options... msf postmaxthon run This module requires...
Docker Privileged Container Escape
This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: --cap-add=SYSADMIN, --privileged. Module Options msf use...
IBM Data Risk Manager a3user Default Password
This module abuses a known default password in IBM Data Risk Manager. The 'a3user' has the default password 'idrm' and allows an attacker to log in to the virtual appliance via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password. At the time of...
VMware Fusion USB Arbitrator Setuid Privilege Escalation
This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3. The Open VMware USB Arbitrator Service can be launched outide of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home directory in a specific folder, a...
Windows Manage Add User to the Domain and/or to a Domain Group
This module adds a user to the Domain and/or to a Domain group. It will check if sufficient privileges are present for certain actions and run getprivs for system. If you elevated privs to system, the SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to a process that is...
Solaris xscreensaver log Privilege Escalation
This module exploits a vulnerability in xscreensaver versions since 5.06 on unpatched Solaris 11 systems which allows users to gain root privileges. xscreensaver allows users to create a user-owned file at any location on the filesystem using the -log command line argument introduced in version...
Pulse Secure VPN Arbitrary File Disclosure
This module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the "Automatic" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the...
Nuuo Central Management Server User Session Token Bruteforce
Nuuo Central Management Server below version 2.4 has a flaw where it sends the heap address of the user object instead of a real session number when a user logs in. This can be used to reduce the keyspace for the session number from 10 million to 1.2 million, and with a bit of analysis it can be...
WordPress WP GDPR Compliance Plugin Privilege Escalation
The Wordpress GDPR Compliance plugin 'WordPress WP GDPR Compliance Plugin Privilege Escalation', 'Description' = %q The Wordpress GDPR Compliance plugin = v1.4.2 allows unauthenticated users to set wordpress administration options by overwriting values within the database. The vulnerability is...
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1062084 include...
Linux Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1062084 include...
PlaySMS import.php Authenticated CSV File Upload Code Execution
This module exploits an authenticated file upload remote code excution vulnerability in PlaySMS Version 1.4. This issue is caused by improper file contents handling in import.php aka the Phonebook import feature. Authenticated Users can upload a CSV file containing a malicious payload via vectors...
Linux Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1519544 include...
Trend Micro OfficeScan Remote Code Execution
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user. The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend...
Python Meterpreter Shell, Bind TCP Inline
Connect to the victim and spawn a Meterpreter shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Python include...
Windows Gather DynaZIP Saved Password Extraction
This module extracts clear text credentials from dynazip.log. The log file contains passwords used to encrypt compressed zip files in Microsoft Plus! 98 and Windows Me. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...