6846 matches found
Apache Struts Remote Command Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 'Apache Struts Remote Command Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions...
Linux Gather Network Information
This module gathers network information from the target system IPTables rules, interfaces, wireless information, open and listening ports, active network connections, DNS information and SSH information. This module requires Metasploit: https://metasploit.com/download Current source:...
UNIX Gather .netrc Credentials
Post Module to obtain credentials saved for FTP and other services in .netrc This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'UNIX Gather .netrc Credentials', 'Description' = %q Post Module to...
Java RMIConnectionImpl Deserialization Privilege Escalation
This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. This module requires Metasploit:...
Java Meterpreter, Java Reverse TCP Stager
Run a meterpreter server in Java. Connect back stager This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 5256 include Msf::Payload::Stager include Msf::Payload::Java include...
Samba chain_reply Memory Corruption (Linux x86)
This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can...
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates not RTM, and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw. This...
BEA WebLogic JSESSIONID Cookie Value Overflow
This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable code is only accessible when clustering is configured. A request containing a long JSESSION cookie value can lead to arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current...
Tomcat Administration Tool Default Access
Detect the Tomcat administration interface. The administration interface is included in versions 5.5 and lower. Port 8180 is the default for FreeBSD, 8080 for all others. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewor...
XM Easy Personal FTP Server 5.6.0 NLST DoS
This module is a port of shinnai's script. You need a valid login, but even anonymous can do it as long as it has permission to call NLST. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'XM Eas...
Veritas Backup Exec Name Service Overflow
This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv...
Windows Process Memory Dump
This module creates a memory dump of a process to disk and downloads the file for offline analysis. Options for DUMPTYPE affect the completeness of the dump: "full" retrieves the entire process address space all allocated pages; "standard" excludes image files e.g. DLLs and EXEs in the address...
WordPress Duplicator File Read Vulnerability
This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered. Module Options msf use...
HorizontCMS Arbitrary PHP File Upload
This module exploits an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta in order to execute arbitrary commands. The module first attempts to authenticate to HorizontCMS. It then tries to upload a malicious PHP file via an HTTP POST request to /admin/file-manager/fileupload. The serv...
Mida Solutions eFramework ajaxreq.php Command Injection
This module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to...
AnyDesk GUI Format String Write
The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the discovery service is always running, the GUI frontend must be started to trigger...
Tautulli v2.1.9 - Shutdown Denial of Service
Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Tautulli v2.1.9 - Shutdown Denial of Service',...
Windows Gather PSReadline History
Gathers Power Shell history data from the target machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather PSReadline History', 'Description' = %q Gathers Power Shell history data...
WebEx Remote Command Execution Utility
This module enables the execution of a single command as System by exploiting a remote code execution vulnerability in Cisco's WebEx client software. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1516524 include...
ifwatchd Privilege Escalation
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in...
Python Meterpreter Shell, Reverse HTTP Inline
Connect back to the attacker and spawn a Meterpreter shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Python includ...
Unitrends UEB bpserverd authentication bypass RCE
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This module requires Metasploit:...
Multi Gather Docker Credentials Collection
This module will collect the contents of all users' .docker directories on the targeted machine. If the user has already push to docker hub, chances are that the password was saved in base64 default behavior. This module requires Metasploit: https://metasploit.com/download Current source:...
Gather Tomcat Credentials
This module will attempt to collect credentials from Tomcat services running on the machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Gather Tomcat Credentials', 'Description' = %q This...
Carlo Gavazzi Energy Meters - Login Brute Force, Extract Info and Dump Plant Database
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SM...
Windows Local User Account Hash Carver
This module will change a local user's password directly in the registry. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'English' class MetasploitModule 'Windows Local User Account Hash Carver', 'Description...
UNIX Gather AWS Keys
This module will attempt to read AWS configuration files .aws/config, .aws//credentials and .s3cfg for users discovered on the session'd system and extract AWS keys from within. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Gather MDaemonEmailServer Credential Cracking
Finds and cracks the stored passwords of MDaemon Email Server This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'base64' class MetasploitModule 'Windows Gather MDaemonEmailServer Credential Cracking',...
Docker Daemon Privilege Escalation
This module obtains root privileges from any host account with access to the Docker daemon. Usually this includes accounts in the docker group. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
UNIX Gather RSYNC Credentials
Post Module to obtain credentials saved for RSYNC in various locations This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'UNIX Gather RSYNC Credentials', 'Description' = %q Post Module to obtain...
Joomla Content History SQLi Remote Code Execution
This module exploits a SQL injection vulnerability found in Joomla versions 3.2 up to 3.4.4. The vulnerability exists in the Content History administrator component in the core of Joomla. Triggering the SQL injection makes it possible to retrieve active Super User sessions. The cookie can be used...
Watchguard XCS FixCorruptMail Local Privilege Escalation
This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called by root's crontab which can be exploited to run a command as root within 3 minutes. This module requires Metasploit: https://metasploit.com/download Current source:...
BusyBox Download and Execute
This module will be applied on a session connected to a BusyBox shell. It will use wget to download and execute a file from the device running BusyBox. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
WordPress Long Password DoS
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service CPU consumption via a long password that is improperly handled during hashing. This module requires Metasploit: https://metasploit.com/download Current source:...
Arris DG950A Cable Modem Wifi Enumeration
This module will extract WEP keys and WPA preshared keys from Arris DG950A cable modems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Arris DG950A Cable Modem Wifi Enumeration', 'Description...
VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution
VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated OS Command injection in the web interface. Use reverse payloads for the most reliable results. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic...
NTP Mode 7 PEER_LIST_SUM DoS Scanner
This module identifies NTP servers which permit "PEERLISTSUM" queries and return responses that are larger in size or greater in quantity than the request, allowing remote attackers to cause a distributed, reflected denial of service aka, "DRDoS" or traffic amplification via spoofed requests. Thi...
Multi Manage YouTube Broadcast
This module will broadcast a YouTube video on specified compromised systems. It will play the video in the target machine's native browser. The VID datastore option is the "v" parameter in a YouTube video's URL. Enabling the EMBED option will play the video in full screen mode through a clean...
ZyXEL GS1510-16 Password Extractor
This module exploits a vulnerability in ZyXEL GS1510-16 routers to extract the admin password. Due to a lack of authentication on the webctrl.cgi script, unauthenticated attackers can recover the administrator password for these devices. The vulnerable device has reached end of life for support...
Nodejs js-yaml load() Code Execution
This module can be used to abuse node.js applications that parse user-supplied YAML input using the load function from the 'js-yaml' package 'Nodejs js-yaml load Code Execution', 'Description' = %q This module can be used to abuse node.js applications that parse user-supplied YAML input using the...
OS X Gather Mac OS X Password Hash Collector
This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports versions 10.3 to 10.14. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/document' class MetasploitModule 'OS X Gather Mac OS X Passwo...
SAPRouter Port Scanner
This module allows for mapping ACLs and identify open/closed ports accessible on hosts through a saprouter. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAPRouter Port Scanner', 'Description...
D-Link DIR615h OS Command Injection
Some D-Link Routers are vulnerable to an authenticated OS command injection on their web interface, where default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload...
MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code...
Windows Single Sign On Credential Collector (Mimikatz)
This module will collect cleartext Single Sign On credentials from the Local Security Authority using the Kiwi Mimikatz extension. Blank passwords will not be stored in the database. This module requires Metasploit: https://metasploit.com/download Current source:...
Java CMM Remote Code Execution
This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP...
Axigen Arbitrary File Read and Delete
This module exploits a directory traversal vulnerability in the WebAdmin interface of Axigen, which allows an authenticated user to read and delete arbitrary files with SYSTEM privileges. The vulnerability is known to work on Windows platforms. This module has been tested successfully on Axigen...
WordPress Plugin Advanced Custom Fields Remote File Inclusion
This module exploits a remote file inclusion flaw in the WordPress blogging software plugin known as Advanced Custom Fields. The vulnerability allows for remote file inclusion and remote code execution via the export.php script. The Advanced Custom Fields plug-in versions 3.5.1 and below are...
Digi ADDP Remote Reboot Initiator
Reboot Digi International based equipment through the ADDP service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Digi ADDP Remote Reboot Initiator', 'Description' = 'Reboot Digi International...