6846 matches found
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1166612 include...
Multi Gather Maven Credentials Collection
This module will collect the contents of all users settings.xml on the targeted machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'nokogiri' class MetasploitModule 'Multi Gather Maven Credentials...
Razer Synapse rzpnk.sys ZwOpenProcess
A vulnerability exists in the latest version of Razer Synapse v2.20.15.1104 as of the day of disclosure which can be leveraged locally by a malicious application to elevate its privileges to those of NTAUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver th...
NNTP Login Utility
This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension. This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods. This module requires Metasploit:...
Windows Antivirus Exclusions Enumeration
This module will enumerate the file, directory, process and extension-based exclusions from supported AV products, which currently includes Microsoft Defender, Microsoft Security Essentials/Antimalware, and Symantec Endpoint Protection. This module requires Metasploit:...
VNC Keyboard Remote Code Execution
This module exploits VNC servers by sending virtual keyboard keys and executing a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager payload is typed and executed. On Unix/Linux systems a xterm terminal is opened and a payload is typed and executed. This module...
HTTP HTML Title Tag Content Grabber
Generates a GET request to the provided webservers and returns the server header, HTML title attribute and location header if set. This is useful for rapidly identifying interesting web applications en mass. This module requires Metasploit: https://metasploit.com/download Current source:...
MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure
This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames. It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you must supply your own list of file paths. Each file path should look like this: c:\\windows\\system32\\calc.exe This...
Gallery WD for Joomla! Unauthenticated SQL Injection Scanner
This module will scan for Joomla! instances vulnerable to an unauthenticated SQL injection within the Gallery WD for Joomla! extension version 1.2.5 and likely prior. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
GitLab User Enumeration
The GitLab 'internal' API is exposed unauthenticated on GitLab. This allows the username for each SSH Key ID number to be retrieved. Users who do not have an SSH Key cannot be enumerated in this fashion. LDAP users, e.g. Active Directory users will also be returned. This issue was fixed in GitLab...
Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appear as...
ARRIS / Motorola SBG6580 Cable Modem SNMP Enumeration Module
This module allows SNMP enumeration of the ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem Gateway. It supports the username and password for the device user interface as well as wireless network keys and information. The default community used is "public". This module requires...
Joomla Bruteforce Login Utility
This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Joomla Bruteforce Login Utility', 'Description' = 'This...
Multi Gather DbVisualizer Connections Settings
DbVisualizer stores the user database configuration in dbvis.xml. This module retrieves the connections settings from this file and decrypts the encrypted passwords. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Ericom AccessNow Server Buffer Overflow
This module exploits a stack based buffer overflow in Ericom AccessNow Server. The vulnerability is due to an insecure usage of vsprintf with user controlled data, which can be triggered with a malformed HTTP request. This module has been tested successfully with Ericom AccessNow Server 2.4.0.2 o...
Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow
This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability exists in the service BKHOdeq.exe when handling specially crafted packets. This module has been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows 2003 SP2. This...
Linux Reboot
A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 32 include...
Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution
This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager versions 11.0, 12.0 and 12.1. When supplying a specially crafted XML external entity XXE request an attacker can reach SQL injection affected components. As xpcmdshell is enabled in the included database...
OSX Gather Autologin Password as Root
This module will steal the plaintext password of any user on the machine with autologin enabled. Root access is required. When a user has autologin enabled System Preferences - Accounts, OSX stores their password with an XOR encoding in /private/etc/kcpassword. This module requires Metasploit:...
ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to v8 build 80293. A malicious user can upload a JSP file into the web root without authentication, leading to arbitrary code execution as SYSTEM. This module requires Metasploit: https://metasploit.com/download...
vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution
vTiger CRM allows an authenticated user to upload files to embed within documents. Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP script and execute arbitrary PHP code remotely. This module was tested against vTiger CRM v5.4.0 and v5.3.0. This module...
Unix Command Shell, Reverse TCP (via Lua)
Creates an interactive shell via Lua This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 224 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo ...
Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation
This module exploits a flaw in the nwfs.sys driver to overwrite data in kernel space. The corruption occurs while handling ioctl requests with code 0x1438BB, where a 0x00000009 dword is written to an arbitrary address. An entry within the HalDispatchTable is overwritten in order to execute...
Canon Printer Wireless Configuration Disclosure
This module enumerates wireless credentials from Canon printers with a web interface. It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920. This module requires Metasploit: https://metasploit.com/download Current source:...
D-Link DIR-615H HTTP Login Utility
This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-615 Hardware revision H devices. It is possible that this module also works with other models. This module requires Metasploit: https://metasploit.com/download Current...
Linksys WRT54GL Remote Command Execution
Some Linksys Routers are vulnerable to OS Command injection. You will need credentials to the web interface to access the vulnerable part of the application. Default credentials are always a good starting point. admin/admin or admin and blank password could be a first try. Note: This is a blind O...
Windows Gather Database Instance Enumeration
This module will enumerate a windows system for installed database instances This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Database Instance Enumeration', 'Description' = %q Th...
NetDecision 4.2 TFTP Writable Directory Traversal Execution
This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The software contains a directory traversal vulnerability that allows a remote attacker to write arbitrary file to the file system, which results in code execution under the context of user executing the TFTP Server. This...
Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow
This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer 6.21. As a .pac file, when supplying a long string of data to the 'value' field under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption on the stack, which results in arbitrary code executi...
MS12-027 MSCOMCTL ActiveX Buffer Overflow
This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with...
CorpWatch Company Name Information Search
This module interfaces with the CorpWatch API to get publicly available info for a given company name. Please note that by using CorpWatch API, you acknowledge the limitations of the data CorpWatch provides, and should always verify the information with the official SEC filings before taking any...
Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
This module exploits a buffer overflow in the encryption option handler of the Linux BSD-derived telnet service inetutils or krb5-telnet. Most Linux distributions use NetKit-derived telnet daemons, so this flaw only applies to a small subset of Linux systems running telnetd. -- coding: binary --...
Shodan Search
This module uses the Shodan API to search Shodan. Accounts are free and an API key is required to use this module. Output from the module is displayed to the screen and can be saved to a file or the MSF database. NOTE: SHODAN filters i.e. port, hostname, os, geo, city can be used in queries, but...
Multi Gather Mozilla Thunderbird Signon Credential Collection
This module will collect credentials from Mozilla Thunderbird by downloading the necessary files such as 'signons.sqlite', 'key3.db', and 'cert8.db' for offline decryption with third party tools. If necessary, you may also set the PARSE option to true to parse the sqlite file, which contains...
Windows Gather Dump Recent Files lnk Info
The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script. This module will parse .lnk files from a user's Recent Documents folder and Microsoft Office's Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk...
Android Content Provider File Disclosure
This module exploits a cross-domain issue within the Android web browser to exfiltrate files from a vulnerable device. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Content Provider...
Adobe Flash Player "newfunction" Invalid Pointer Use
This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash...
Apache Axis2 v1.4.1 Local File Inclusion
This module exploits an Apache Axis2 v1.4.1 local file inclusion LFI vulnerability. By loading a local XML file which contains a cleartext username and password, attackers can trivially recover authentication credentials to Axis services. This module requires Metasploit:...
Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE
The module exploits an sql injection flaw in the ALTERAUTOLOGCHANGESOURCE procedure of the PL/SQL package DBMSCDCPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTECATALOGROLE have the required privilege. Affected...
FTP File Server
This module provides a FTP service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FTP File Server', 'Description' = %q This module provides a FTP service , 'Author' = 'hdm', 'License' =...
Linux Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 184 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Trend Micro OfficeScan Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in Trend Micro OfficeScan cgiChkMasterPwd.exe running with SYSTEM privileges. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasm' class MetasploitModule 'Trend...
Python Exec, Command Shell, Reverse SCTP (via python)
Execute a Python payload as an OS command from a Posix-compatible shell. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. Module Options msf use payload/cmd/unix/python/shellreversesctp msf payloadshellreversesctp show actions...
Grandstream GXV3175 'settimezone' Unauthenticated Command Execution
This module exploits a command injection vulnerability in Grandstream GXV3175 IP multimedia phones. The 'settimezone' action does not validate input in the 'timezone' parameter allowing injection of arbitrary commands. A buffer overflow in the 'phonecookie' cookie parsing allows authentication to...
Reptile Rootkit reptile_cmd Privilege Escalation
This module uses Reptile rootkit's reptilecmd backdoor executable to gain root privileges using the root command. This module has been tested successfully with Reptile from master branch 2019-03-04 on Ubuntu 18.04.3 x64 and Linux Mint 19 x64. This module requires Metasploit:...
Windows x86 Pingback, Bind TCP Inline
Open a socket and report UUID when a connection is received Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 314 include Msf::Payload::Windows include Msf::Payload::Sing...
Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion
This module exploits a type confusion on Adobe Flash Player, which was originally found being successfully exploited in the wild. This module has been tested successfully on: macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182, Firefox and Adobe Flash Player 21.0.0.182. This module...
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Cisco Prime Infrastructure CPI contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege...
Vtiger CRM - Authenticated Logo Upload RCE
Vtiger 6.3.0 CRM's administration interface allows for the upload of a company logo. Instead of uploading an image, an attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against vTiger CRM v6.3.0. This module...
QNAP Q'Center change_passwd Command Execution
This module exploits a command injection vulnerability in the changepasswd API method within the web interface of QNAP Q'Center virtual appliance versions prior to 1.7.1083. The vulnerability allows the 'admin' privileged user account to execute arbitrary commands as the 'admin' operating system...