6846 matches found
Unix Command Shell, Reverse TCP SSL (via Ruby)
Connect back and create a command shell via Ruby, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 185 include Msf::Payload::Single include Msf::Sessions::CommandShellOptio...
Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution
This module abuses the "RunScript" procedure provided by the SOAP interface of Adobe InDesign Server, to execute arbitrary vbscript Windows or applescript OSX. The exploit drops the payload on the server and must be removed manually. This module requires Metasploit: https://metasploit.com/downloa...
Windows AlwaysInstallElevated MSI
This module checks the AlwaysInstallElevated registry keys which dictates if .MSI files should be installed with elevated privileges NT AUTHORITY\SYSTEM. The generated .MSI file has an embedded executable which is extracted and run by the installer. After execution the .MSI file intentionally fai...
JBoss Java Class DeploymentFileRepository WAR Deployment
This module uses the DeploymentFileRepository class in JBoss Application Server jbossas to deploy a JSP file which then deploys the WAR file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution
This module exploits an authentication bypass vulnerability on Avaya IP Office Customer Call Reporter, which allows a remote user to upload arbitrary files through the ImageUpload.ashx component. It can be abused to upload and execute arbitrary ASP .NET code. The vulnerability has been tested...
Windows Manage PowerShell Download and/or Execute
This module will download and execute a PowerShell script over a meterpreter session. The user may also enter text substitutions to be made in memory before execution. Setting VERBOSE to true will output both the script prior to execution and the results. This module requires Metasploit:...
Csound hetro File Handling Stack Buffer Overflow
This module exploits a buffer overflow in Csound before 5.16.6. The overflow occurs when trying to import a malicious hetro file from tabular format. In order to achieve exploitation the user should import the malicious file through csound with a command like "csound -U hetimport msf.csd file.het...
OS X Gather Adium Enumeration
This module will collect Adium's account plist files and chat logs from the victim's machine. There are three different actions you may choose: ACCOUNTS, CHATS, and ALL. Note that to use the 'CHATS' action, make sure you set the regex 'PATTERN' option in order to look for certain log names which...
HTTP Cross-Site Tracing Detection
Checks if the host is vulnerable to Cross-Site Tracing XST This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Cross-Site Tracing Detection', 'Description' = 'Checks if the host is vulnerable ...
Multi Gather OpenSSH PKI Credentials Collection
This module will collect the contents of all users' .ssh directories on the targeted machine. Additionally, knownhosts and authorizedkeys and any other files are also downloaded. This module is largely based on firefoxcreds.rb. This module requires Metasploit: https://metasploit.com/download...
Windows Gather DynDNS Client Password Extractor
This module extracts the username, password, and hosts for DynDNS version 4.1.8. This is done by downloading the config.dyndns file from the victim machine, and then automatically decode the password field. The original copy of the config file is also saved to disk. This module requires Metasploi...
rsyslog Long Tag Off-By-Two DoS
This module triggers an off-by-two overflow in the rsyslog daemon. This flaw is unlikely to yield code execution but is effective at shutting down a remote log daemon. This bug was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5. Compiler differences may prevent this bug from causing any...
7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow
This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying a long string of data to the 'Rename' 0x02, 'Delete' 0x03, or 'Add' 0x04 command, a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report, which results arbitrary code execution under th...
SAP Management Console Brute Force
This module simply attempts to brute force the username and password for the SAP Management Console SOAP Interface. If the SAPSID value is set it will replace instances of in any user/pass from any wordlist. This module requires Metasploit: https://metasploit.com/download Current source:...
IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow
This module exploits a stack buffer overflow in IBM Lotus Domino Web Server prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP request with an Accept-Language header greater than 114 bytes. This module requires Metasploit: https://metasploit.com/download Current source:...
XM Easy Personal FTP Server 5.7.0 NLST DoS
You need a valid login to DoS this FTP server, but even anonymous can do it as long as it has permission to call NLST. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'XM Easy Personal FTP Serve...
Samba trans2open Overflow (Mac OS X PPC)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Linux Execute Command
Execute an arbitrary command or just a /bin/sh shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Exec ---- Executes an arbitrary command. module MetasploitModule CachedSize = 43 include Msf::Payload::Single includ...
Peyara Remote Mouse 1.0.1 Unauthenticated Remote Code Execution
This module exploits an unauthenticated remote code execution vulnerability in Peyara Remote Mouse 1.0.1. The application exposes a Socket.IO WebSocket service on TCP port 1313 and accepts unauthenticated keyboard input events. The module sends keyboard events to open the Windows command prompt a...
SMB to Meterpreter Upgrade via PsExec
Upgrades an authenticated SMB session to a Meterpreter session using PsExec techniques. This module uploads a service-wrapped executable payload to the ADMIN$ share via the existing authenticated SMB connection, then creates and starts a Windows service that executes the payload. This mirrors the...
Windows Manage Volume Shadow Copies
This module will perform management actions for Volume Shadow Copies on the system. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later. Module Options msf use post/windows/manage/vss msf postvss show actions ...actions... msf postvss set...
Geutebruck testaction.cgi Remote Command Execution
This module exploits an authenticated arbitrary command execution vulnerability within the 'server' GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions use...
Cisco UCS Director Cloupia Script RCE
This module exploits an authentication bypass and directory traversals in Cisco UCS Director 'Cisco UCS Director Cloupia Script RCE', 'Description' = %q This module exploits an authentication bypass and directory traversals in Cisco UCS Director 6.7.4.0 to leak the administrator's REST API key an...
Windows Manage Memory Shellcode Injection Module
This module will inject into the memory of a process a specified shellcode. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Manage Memory Shellcode Injection Module', 'Description' = %q...
ktsuss suid Privilege Escalation
This module attempts to gain root privileges by exploiting a vulnerability in ktsuss versions 1.4 and prior. The ktsuss executable is setuid root and does not drop privileges prior to executing user specified commands, resulting in command execution with root privileges. This module has been test...
Linux Meterpreter, Reverse HTTP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1061912 include...
Unix Command Shell, Reverse TCP (via Ksh)
Connect back and create a command shell via Ksh. Note: Although Ksh is often available, please be aware it isn't usually installed by default. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule...
Hadoop YARN ResourceManager Unauthenticated Command Execution
This module uses Hadoop's standard ResourceManager REST API to execute arbitrary commands on an unsecured Hadoop server. Hadoop administrators should enable Kerberos authentication for these endpoints by changing the 'hadoop.security.authentication' setting in 'core-site.xml' from 'simple' the...
Palo Alto Networks readSessionVarsFromFile() Session Corruption
This module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory,...
Socks5 Proxy Server
This module provides a socks5 proxy server that uses the builtin Metasploit routing to relay connections...
Displays wireless SSIDs and PSKs
This module displays all wireless AP creds saved on the target device. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Displays wireless SSIDs and PSKs', 'Description' = %q This module displays...
Dup Scout Enterprise Login Buffer Overflow
This module exploits a stack buffer overflow in Dup Scout Enterprise versions 'Dup Scout Enterprise Login Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in Dup Scout Enterprise versions MSFLICENSE, 'Author' =...
OSX Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 815032 include...
OSX Meterpreter, Reverse HTTP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 815032 include...
Samsung SRN-1670D Web Viewer Version 1.0.0.193 Arbitrary File Read and Upload
This module exploits an unrestricted file upload vulnerability in Web Viewer 1.0.0.193 on Samsung SRN-1670D devices. The networksslupload.php file allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a dire...
tnftp "savefile" Arbitrary Command Execution
This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component...
Linux Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1140752 include...
Python Meterpreter Shell, Reverse TCP Inline
Connect back to the attacker and spawn a Meterpreter shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Python includ...
SolarWinds LEM Default SSH Password Remote Code Execution
This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricte...
OS X Gather Messages
This module will collect the Messages sqlite3 database files and chat logs from the victim's machine. There are four actions you may choose: DBFILE, READABLE, LATEST, and ALL. DBFILE and READABLE will retrieve all messages, and LATEST will retrieve the last X number of messages useful with 2FA...
Censys Search
The module uses the Censys REST API to access the same data accessible through the web interface. The search endpoint allows queries using the Censys Search Language against the Hosts dataset. Setting the CERTIFICATES option will also retrieve the certificate details for each relevant service by...
SMB Delivery
This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Atlassian HipChat for Jira Plugin Velocity Template Injection
Atlassian Hipchat is a web service for internal instant messaging. A plugin is available for Jira that allows team collaboration at real time. A message can be used to inject Java code into a Velocity template, and gain code execution as Jira. Authentication is required to exploit this...
BusyBox DNS Configuration
This module will be applied on a session connected to a BusyBox shell. It allows to set the DNS server on the device executing BusyBox so it will be sent by the DHCP server to network hosts. This module requires Metasploit: https://metasploit.com/download Current source:...
Watermark Master Buffer Overflow (SEH)
This module exploits a stack based buffer overflow in Watermark Master 2.2.23 when processing a specially crafted .WCF file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of Watermark Master to open a malicious .WCF...
SysAid Help Desk 'rdslogs' Arbitrary File Upload
This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated file uploads and handles zip file contents in an insecure way. By combining both weaknesses, a remote attacker can accomplish...
Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory
This module exploits an uninitialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption,...
Apple OS X Rootpipe Privilege Escalation
This module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed "Rootpipe." This module was tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run...
Web-Dorado ECommerce WD for Joomla! search_category_id SQL Injection Scanner
This module will scan for hosts vulnerable to an unauthenticated SQL injection within the advanced search feature of the Web-Dorado ECommerce WD 1.2.5 and likely prior. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
iPass Mobile Client Service Privilege Escalation
The named pipe, \IPEFSYSPCPIPE, can be accessed by normal users to interact with the iPass service. The service provides a LaunchAppSysMode command which allows to execute arbitrary commands as SYSTEM. This module requires Metasploit: https://metasploit.com/download Current source:...