6849 matches found
Wordpress Scanner
Detects Wordpress Versions, Themes, Plugins, and Users This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Wordpress Scanner', 'Description' = 'Detects Wordpress Versions, Themes, Plugins, and...
ERS Viewer 2011 ERS File Handling Buffer Overflow
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 version 11.04. The vulnerability exists in the module ermapperu.dll where the function ERMconverttocorrectwebpath handles user provided data in an insecure way. It results in arbitrary code execution under the context o...
VMWare OVF Tools Format String Vulnerability
This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. This module requires Metasploit:...
Command Shell, Reverse TCP SSL (via python)
Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic...
Cisco Linksys PlayerPT ActiveX Control SetSource sURL Argument Buffer Overflow
This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, when handling a specially crafted sU...
LLMNR Spoofer
LLMNR Link-local Multicast Name Resolution is the successor of NetBIOS Windows Vista and up and is used to resolve the names of neighboring computers. This module forges LLMNR responses by listening for LLMNR requests sent to the LLMNR multicast address 224.0.0.252 and responding with a...
DNS TXT Record Payload Download and Execution
Performs a TXT query against a series of DNS records and executes the returned x86 shellcode. The DNSZONE option is used as the base name to iterate over. The payload will first request the TXT contents of the a hostname, followed by b, then c, etc. until there are no more records. For each recor...
Adobe Reader U3D Memory Corruption Vulnerability
This module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially crafted U3D data into a PDF document. A hea...
Windows Gather McAfee ePO 4.6 Config SQL Credentials
This module extracts connection details and decrypts the saved password for the SQL database in use by a McAfee ePO 4.6 server. The passwords are stored in a config file. They are encrypted with AES-128-ECB and a static key. This module requires Metasploit: https://metasploit.com/download Current...
RealWin SCADA Server DATAC Login Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.1 Build 6.0.10.10 or earlier. By sending a specially crafted OnFCCONNECTFCSLOGIN packet containing a long username, an attacker may be able to execute arbitrary code. This module requires Metasploit...
Black Ice Cover Page ActiveX Control Arbitrary File Download
This module allows remote attackers to place arbitrary files on a users file system by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX Control BIImgFrm.ocx 12.0.0.0. Code execution can be achieved by first uploading the payload to the remote machine, and then uploa...
ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
This module exploits a stack-based buffer overflow in versions 1.2 through 1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function within the "src/support.c" file. The off-by-one heap overflow bug in the ProFTPD sreplace function has been discovered about 2 two years ago by...
Novell iPrint Client ActiveX Control call-back-url Buffer Overflow
This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42. When sending an overly long string to the 'call-back-url' parameter in an op-client-interface-version action of ienipp.ocx an attacker may be able to execute arbitrary code. This module requires Metasploit:...
SMB File Upload Utility
This module uploads a file to a target share and path. The only reason to use this module is if your existing SMB client is not able to support the features of the Metasploit Framework that you need, like pass-the-hash authentication. This module requires Metasploit: https://metasploit.com/downlo...
Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
This module exploits a buffer overflow in Microsoft's Office Web Components. When passing an overly long string as the "HTMLURL" parameter an attacker can execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
TikiWiki jhot Remote Command Execution
TikiWiki contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is triggered due to the jhot.php script not correctly verifying uploaded files. It is possible that the flaw may allow arbitrary PHP code execution by uploading a malicious PHP script resulting in a...
BadBlue 2.72b PassThru Buffer Overflow
This module exploits a stack buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HEAD', :pattern = /BadBlue//...
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
This module exploits the argument injection vulnerability in the telnet daemon in.telnetd of Solaris 10 and 11. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Sun Solaris Telnet Remote...
Mercur Messaging 2005 IMAP Login Buffer Overflow
This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3. Since the room for shellcode is small, using the reverse ordinal payloads yields the best results. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Interactive Powershell Session, Reverse TCP SSL
Listen for a connection and spawn an interactive powershell session over SSL Module Options msf use payload/windows/x64/powershellreversetcpssl msf payloadpowershellreversetcpssl show actions ...actions... msf payloadpowershellreversetcpssl set ACTION msf payloadpowershellreversetcpssl show optio...
Apache Flink JobManager Traversal
This module exploits an unauthenticated directory traversal vulnerability in Apache Flink versions 1.11.0 use auxiliary/scanner/http/apacheflinkjobmanagertraversal msf auxiliaryapacheflinkjobmanagertraversal show actions ...actions... msf auxiliaryapacheflinkjobmanagertraversal set ACTION msf...
OneDrive Sync Provider Enumeration Module
This module will identify the Office 365 OneDrive endpoints for both business and personal accounts across all users providing access is permitted. It is useful for identifying document libraries that may otherwise not be obvious which could contain sensitive or useful information. Module Options...
Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution
This module exploits two vulnerabilities, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, but this module can probably also be used to exploit...
Directory Traversal in Spring Cloud Config Server
This module exploits an unauthenticated directory traversal vulnerability which exists in Spring Cloud Config versions 2.2.x prior to 2.2.3 and 2.1.x prior to 2.1.9, and older unsupported versions. Spring Cloud Config listens by default on port 8888. This module requires Metasploit:...
Unix Command Shell, Reverse TCP (via Tclsh)
Creates an interactive shell via Tclsh This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 184 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinf...
OpenSMTPD OOB Read Local Privilege Escalation
This module exploits an out-of-bounds read of an attacker-controlled string in OpenSMTPD's MTA implementation to execute a command as the root or nobody user, depending on the kind of grammar OpenSMTPD uses. This module requires Metasploit: https://metasploit.com/download Current source:...
Cisco UCS Director Unauthenticated Remote Code Execution
The Cisco UCS Director virtual appliance contains two flaws that can be combined and abused by an attacker to achieve remote code execution as root. The first one, CVE-2019-1937, is an authentication bypass, that allows the attacker to authenticate as an administrator. The second one,...
Windows x86 Pingback, Reverse TCP Inline
Connect back to attacker and report UUID Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 307 include Msf::Payload::Windows include Msf::Payload::Single include...
ptrace Sudo Token Privilege Escalation
This module attempts to gain root privileges by blindly injecting into the session user's running shell processes and executing commands by calling system, in the hope that the process has valid cached sudo tokens with root privileges. The system must have gdb installed and permit ptrace. This...
Unitrends Enterprise Backup bpserverd Privilege Escalation
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This is very similar to...
Apache Spark Unauthenticated Command Execution
This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API. It uses the function CreateSubmissionRequest to submit a malious java class and trigger it. This module requires Metasploit: https://metasploit.com/download Curre...
MagniComp SysInfo mcsiwrapper Privilege Escalation
This module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. The .mcsiwrapper suid executable allows loading a config file using the '--configfile' argument. The 'ExecPath' config directive is used to set the executable load path. This module abuses...
Varnish Cache CLI File Read
This module attempts to read the first line of a file by abusing the error message when compiling a file with vcl.load. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/tcp/client' require...
SolarWinds LEM Default SSH Password Remote Code Execution
This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricte...
VMware VDP Known SSH Key
VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/ssh...
Windows 'Run As' Using Powershell
This module will start a process as another user using powershell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows 'Run As' Using Powershell', 'Description' = %q This module will start...
ManageEngine Desktop Central Administrator Account Creation
This module exploits an administrator account creation vulnerability in Desktop Central from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in several versions of Desktop Central including MSP from v7 onwards. This module requires Metasploit:...
VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation
A vulnerability within the VBoxGuest driver allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile on Windows XP SP3 system...
MantisBT Admin SQL Injection Arbitrary File Read
Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if an attacker can gain access to administrative credentials. This vuln was fixed in 1.2.17. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...
Windows Gather Prefetch File Information
This module gathers prefetch file information from WinXP, Win2k3 and Win7 systems and current values of related registry keys. From each prefetch file we'll collect filetime converted to utc of the last execution, file path hash, run count, filename and the execution path. This module requires...
SAP Host Agent Information Disclosure
This module attempts to retrieve Computer and OS info from Host Agent through the SAP HostControl service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/document' class MetasploitModule 'SAP Host Agen...
Windows Gather Enumerate Active Domain Users
This module will enumerate computers included in the primary Domain and attempt to list all locations the targeted user has sessions on. If the HOST option is specified the module will target only that host. If the HOST is specified and USER is set to nil, all users logged into that host will be...
Windows Gather Credential Cache Dump
This module uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Manage Remote Packet Capture Service Starter
This module enables the Remote Packet Capture System rpcapd service included in the default installation of Winpcap. The module allows you to set up the service in passive or active mode useful if the client is behind a firewall. If authentication is enabled you need a local user account to captu...
SNMP Community Login Scanner
This module logs in to SNMP devices using common community names. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/communitystringcollection' require 'metasploit/framework/loginscanner/snm...
MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow
This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ recType 0x5D record an attacker can get the control of the execution flow. This results in arbitrary code execution under the context of the user. This module requires...
Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control
This module exploits a stack based buffer overflow in the Active control file ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. The victim will first...
Multi Gather Ping Sweep
Performs IPv4 ping sweep using the OS included ping command. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather Ping Sweep', 'Description' = %q Performs IPv4 ping sweep using the OS...
Adobe XML External Entity Injection
Multiple Adobe Products -- XML External Entity Injection. Affected Software: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2 This module requires Metasploit:...
MySQL yaSSL SSL Hello Message Buffer Overflow
This module exploits a stack buffer overflow in the yaSSL 1.7.5 and earlier implementation bundled with MySQL 'MySQL yaSSL SSL Hello Message Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in the yaSSL 1.7.5 and earlier implementation bundled with MySQL 'MC' ,...