6845 matches found
Plone and Zope XMLTools Remote Command Execution
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p class in OFS/misc.py and the use of Python modules. This module requires Metasploit:...
Windows Gather Terminal Server Client Connection Information Dumper
This module dumps MRU and connection data for RDP sessions This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Terminal Server Client Connection Information Dumper', 'Description' = ...
RealWin SCADA Server DATAC Login Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.1 Build 6.0.10.10 or earlier. By sending a specially crafted OnFCCONNECTFCSLOGIN packet containing a long username, an attacker may be able to execute arbitrary code. This module requires Metasploit...
Sun Java Calendar Deserialization Privilege Escalation
This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK...
Joomla 1.5.12 TinyBrowser File Upload Code Execution
This module exploits a vulnerability in the TinyMCE/tinybrowser plugin. This plugin is not secured in version 1.5.12 of joomla and allows the upload of files on the remote server. By renaming the uploaded file this vulnerability can be used to upload/execute code on the affected system. This modu...
Microsoft Visual Basic VBP Buffer Overflow
This module exploits a stack buffer overflow in Microsoft Visual Basic 6.0. When a specially crafted vbp file containing a long reference line, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow
This module exploits a stack buffer overflow in Lotus Domino's Sametime Server. By sending an overly long POST request to the Multiplexer STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez. This module requires Metasploit:...
PHP Command Shell, Find Sock
Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes...
UoW IMAP Server LSUB Buffer Overflow
This module exploits a buffer overflow in the 'LSUB' command of the University of Washington IMAP service. This vulnerability can only be exploited with a valid username and password. This module requires Metasploit: https://metasploit.com/download Current source:...
Kazaa Altnet Download Manager ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX Control amd4.dll bundled with Kazaa Media Desktop 3.2.7. By sending an overly long string to the "Install" method, an attacker may be able to execute arbitrary code. This module requires Metasploit:...
Mercur Messaging 2005 IMAP Login Buffer Overflow
This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3. Since the room for shellcode is small, using the reverse ordinal payloads yields the best results. This module requires Metasploit: https://metasploit.com/download Current source:...
vBulletin widgetConfig RCE
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfigcode parameter in an ajax/render/widgetphp routestring POST request. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModu...
Cisco UCS Director default scpuser password
This module abuses a known default password on Cisco UCS Director. The 'scpuser' has the password of 'scpuser', and allows an attacker to login to the virtual appliance via SSH. This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in...
DoS Exploitation of Allen-Bradley's Legacy Protocol (PCCC)
A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands PCCC packet to the controller that could potentially cause the controller to enter a DoS condition. MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA,...
BSD Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 100 This is so one-off that we define it here ARCHVAX = 'vax' include...
Displays wireless SSIDs and PSKs
This module displays all wireless AP creds saved on the target device. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Displays wireless SSIDs and PSKs', 'Description' = %q This module displays...
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1519544 include...
Clickjacking Vulnerability In CSRF Error Page pfSense
This module exploits a Clickjacking vulnerability in pfSense 'Clickjacking Vulnerability In CSRF Error Page pfSense', 'Description' = %q This module exploits a Clickjacking vulnerability in pfSense 'Yorick Koster', 'Payload'...
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1140752 include...
Z/OS (MVS) Command Shell, Bind TCP
Provide JCL which creates a bind shell This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. This module requires Metasploit: https://metasploit.com/download Current source:...
MantisBT password reset
MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MantisBT password reset', 'Description' = %q MantisBT...
Native DNS Spoofer (Example)
This module provides a Rex based DNS service to resolve queries intercepted via the capture mixin. Configure STATICENTRIES to contain host-name mappings desired for spoofing using a hostsfile or space/semicolon separated entries. In the default configuration, the service operates as a normal nati...
DNS Server Dynamic Update Record Injection
This module allows adding and/or deleting a record to any remote DNS server that allows unrestricted dynamic updates. -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'dnsruby' class...
Powershell .NET Compiler
This module will build a .NET source file using powershell. The compiler builds the executable or library in memory and produces a binary. After compilation the PowerShell session can also sign the executable if provided a path the a .pfx formatted certificate. Compiler options and a list of...
Ubiquiti airOS Arbitrary File Upload
This module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorizedkeys. FYI, /etc/passwd,dropbear/authorizedkeys will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSISTETC is true. This method is used by the "m...
Generate TCP/UDP Outbound Traffic On Multiple Ports
This module generates TCP or UDP traffic across a sequence of ports, and is useful for finding firewall holes and egress filtering. It only generates traffic on the port range you specify. It is up to you to run a responder or packet capture tool on a remote endpoint to determine which ports are...
Limesurvey Unauthenticated File Download
This module exploits an unauthenticated file download vulnerability in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded as a ZIP and unzipped automatically, thus binary files can be downloaded. This module requires Metasploit: https://metasploit.com/download Current source:...
Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure
This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as '..//' This module requires Metasploit...
Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation
This module writes to the sudoers file without root access by exploiting rsh and malloc log files. Makes sudo require no password, giving access to su even if root is disabled. Works on OS X 10.9.5 to 10.10.5 patched on 10.11. This module requires Metasploit: https://metasploit.com/download Curre...
ManageEngine Desktop Central Login Utility
This module will attempt to authenticate to a ManageEngine Desktop Central. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/manageenginedesktopcentral' require...
HP Data Protector 8.10 Remote Command Execution
This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be executed by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is a strict length limitation on the command, rundll32.exe is executed, and...
ManageEngine Multiple Products Arbitrary Directory Listing
This module exploits a directory listing information disclosure vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It makes a recursive listing, so it will list the whole drive if you ask it to list / in Linux or C:\ in Windows. This vulnerabilit...
Windows Run Command As User
This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default. Unless targeting a local user either set the DOMAIN, or specify a UPN user format e.g. user@domain. This uses the CreateProcessWithLogonW WinAPI...
McAfee Virus Scan Enterprise Password Hashes Dump
This module extracts the password hash from McAfee Virus Scan Enterprise VSE used to lock down the user interface. Hashcat supports cracking this type of hash using hash type sha1$salt.unicode$pass -m 140 and a hex salt --hex-salt of 01000f000d003300 unicode "\x01\x0f\x0d\x33". A dynamic format i...
Memcached Extractor
This module extracts the slabs from a memcached instance. It then finds the keys and values stored in those slabs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Memcached Extractor',...
Kippo SSH Honeypot Detector
This module will detect if an SSH server is running a Kippo honeypot. This is done by issuing unexpected data to the SSH service and checking the response returned for two particular non-standard error messages. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Active Directory Wordlist Builder
This module will gather information from the default Active Domain AD directory and use these words to seed a wordlist. By default it enumerates user accounts to build the wordlist. This module requires Metasploit: https://metasploit.com/download Current source:...
SSH Public Key Acceptance Scanner
This module can determine what public keys are configured for key-based authentication across a range of machines, users, and sets of known keys. The SSH protocol indicates whether a particular key is accepted prior to the client performing the actual signed authentication request. To use this...
Android Open Source Platform (AOSP) Browser UXSS
This module exploits a Universal Cross-Site Scripting UXSS vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on 'Android Open Source Platform AOSP Browser UXSS', 'Description' = %q This module exploits a Universal Cross-Site Scriptin...
Multi Manage DbVisualizer Query
Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases With GUI. The remote database can be accessed from the command line without the need to authenticate, and this module abuses this functionality to query and will store the results. Please note: backslash quot...
Powershell Base64 Command Encoder
This encodes the command as a base64 encoded command for powershell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework include Msf::Post::Windows class MetasploitModule 'Powershell Base64 Command Encoder', 'Description'...
OSX Gather Safari LastSession.plist
This module downloads the LastSession.plist file from the target machine. LastSession.plist is used by Safari to track active websites in the current session, and sometimes contains sensitive information such as usernames and passwords. This module will first download the original...
MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution
This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows 2003. The vulnerability exists in the handling of the Screen Saver path, in the boot section. An arbitrary path can be used as screen saver, including a remote SMB resource, which allows for remote code...
OSX Manage Record Microphone
This module will allow the user to detect with the LIST action and capture with the RECORD action audio inputs on a remote OSX machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'shellwords' class...
D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility
This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-300 Hardware revision B, D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645 Hardware revision A devices. It is possible that this module...
OpenSSL TLS 1.1 and 1.2 AES-NI DoS
The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the length of an encrypted message when used with a TLS version 1.1 or above. This leads to an integer underflow which can cause a DoS. The vulnerable function aesnicbchmacsha1cipher is only included in the 64-bit versions of...
Digi ADDP Information Discovery
Discover host information through the Digi International ADDP service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Digi ADDP Information Discovery', 'Description' = 'Discover host informatio...
Modbus Unit ID and Station ID Enumerator
Modbus is a cleartext protocol used in common SCADA systems, developed originally as a serial-line RS232 async protocol, and later transformed to IP, which is called ModbusTCP. default tcp port is 502. This module sends a command 0x04, read input register to the modbus endpoint. If this command i...
Windows Manage Safe Delete
The goal of the module is to hinder the recovery of deleted files by overwriting its contents. This could be useful when you need to download some file on the victim machine and then delete it without leaving clues about its contents. Note that the script does not wipe the free disk space so...
Java Applet Field Bytecode Verifier Cache Remote Code Execution
This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operation...