WinRM Command Runner

This module runs arbitrary Windows commands using the WinRM Service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/winrm/connection' class MetasploitModule 'WinRM Command Runner', 'Description' = %q This...

Debian/Ubuntu ntfs-3g Local Privilege Escalation

ntfs-3g mount helper in Ubuntu 16.04, 16.10, Debian 7, 8, and possibly 9 does not properly sanitize the environment when executing modprobe. This can be abused to load a kernel module and execute a binary payload as the root user. This module requires Metasploit: https://metasploit.com/download...

Get the Vehicle Information Such as the VIN from the Target Module

Post Module to query DTCs, Some common engine info and Vehicle Info. It returns such things as engine speed, coolant temp, Diagnostic Trouble Codes as well as All info stored by Mode $09 Vehicle Info, VIN, etc This module requires Metasploit: https://metasploit.com/download Current source:...

NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Unauthenticated Remote Code Execution

The NVRmini 2 Network Video Recorder and the ReadyNAS Surveillance application are vulnerable to an unauthenticated remote code execution on the exposed web administration interface. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been test...

Windows Post Manage WDigest Credential Caching

On Windows 8/2012 or higher, the Digest Security Provider WDIGEST is disabled by default. This module enables/disables credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key. Any subsequent logins will allow mimikatz to recover th...

BMP Polyglot

Encodes a payload in such a way that the resulting binary blob is both valid x86 shellcode and a valid bitmap image file .bmp. The selected bitmap file to inject into must use the BM Windows 3.1x/95/NT header and the 40-byte Windows 3.1x/NT BITMAPINFOHEADER. Additionally the file must use either ...

ElasticSearch Snapshot API Directory Traversal

'This module exploits a directory traversal vulnerability in ElasticSearch, allowing an attacker to read arbitrary files with JVM process privileges, through the Snapshot API.' This module requires Metasploit: https://metasploit.com/download Current source:...

VideoCharge Studio Buffer Overflow (SEH)

This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of VideoCharge Studio to open a maliciou...

Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support

Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for an IPv6 connection with UUID Support Windows x64 This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Interactive Powershell Session, Reverse TCP

Interacts with a powershell session on an established socket connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/powershell' module MetasploitModule CachedSize = :dynamic include Msf::Payload::Sing...

ManageEngine Multiple Products Arbitrary File Download

This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This module will attempt to login using th...

Joomla Bruteforce Login Utility

This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Joomla Bruteforce Login Utility', 'Description' = 'This...

Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution

This module exploits a default hardcoded private SSH key or default hardcoded login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made by Array Networks. After logged in as the unprivileged user, it's possible to modify the world-writable file /ca/bin/monitor.sh with...

Openbravo ERP XXE Arbitrary File Read

The Openbravo ERP XML API expands external entities which can be defined as local files. This allows the user to read any files from the FS as the user Openbravo is running as generally not root. This module was tested against Openbravo ERP version 3.0MP25 and 2.50MP6. This module requires...

Unix Command Shell, Bind TCP (via Lua)

Listen for a connection and spawn a command shell via Lua This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 218 include Msf::Payload::Single include Msf::Sessions::CommandShellOption...

D-Link DIR-615H HTTP Login Utility

This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-615 Hardware revision H devices. It is possible that this module also works with other models. This module requires Metasploit: https://metasploit.com/download Current...

Unix Command Shell, Double Reverse TCP SSL (telnet)

Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 136 include Msf::Payload::Single...

Ruby Command Shell, Bind TCP IPv6

Continually listen for a connection and spawn a command shell via Ruby This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 524 include Msf::Payload::Single include Msf::Payload::Ruby...

Windows Gather Proxy Setting

This module pulls a user's proxy settings. If neither RHOST or SID are set it pulls the current user, else it will pull the user's settings for the specified SID and target host. This module requires Metasploit: https://metasploit.com/download Current source:...

KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability

This module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver...

Schneider Modicon Remote START/STOP Command

The Schneider Modicon with Unity series of PLCs use Modbus function code 90 0x5a to perform administrative commands without authentication. This module allows a remote user to change the state of the PLC between STOP and RUN, allowing an attacker to end process control by the PLC. This module is...

OS X Gather Chicken of the VNC Profile

This module will download the "Chicken of the VNC" client application's profile file, which is used to store other VNC servers' information such as the IP and password. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Windows Gather Enumerate Computers

This module will enumerate computers included in the primary Active Directory domain. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Enumerate Computers', 'Description' = %q Thi...

MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow

This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content source of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results in arbitrary code...

Windows Manage Process Migration

This module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process. This module requires Metasploit: https://metasploit.com/download Current source:...

Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow

This module exploits a vulnerability found on Siemens FactoryLink 8. The vulnerability occurs when CSService.exe processes a CSMSGListFilesREQ message, the user-supplied path first gets converted to ANSI format CodePage 0, and then gets handled by a logging routine where proper bounds checking is...

Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution

This module exploits a remote code execution vulnerability in Trend Micro Internet Security Pro 2010 ActiveX. When sending an invalid pointer to the extSetOwner function of UfPBCtrl.dll an attacker may be able to execute arbitrary code. This module requires Metasploit:...

HP OpenView OmniBack II Command Execution

This module uses a vulnerability in the OpenView Omniback II service to execute arbitrary commands. This vulnerability was discovered by DiGiT and his code was used as the basis for this module. For Microsoft Windows targets, due to module limitations, use the "unix/cmd/generic" payload and set C...

Mercantec SoftCart CGI Overflow

This is an exploit for an undisclosed buffer overflow in the SoftCart.exe CGI as shipped with Mercantec's shopping cart software. It is possible to execute arbitrary code by passing a malformed CGI parameter in an HTTP GET request. This issue is known to affect SoftCart version 4.00b. This module...

MS06-025 Microsoft RRAS Service RASMAN Registry Overflow

This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on...

freeFTPd 1.0 Username Overflow

This module exploits a stack buffer overflow in the freeFTPd multi-protocol file transfer service. This flaw can only be exploited when logging has been enabled non-default. This module requires Metasploit: https://metasploit.com/download Current source:...

3Com 3CDaemon 2.0 FTP Username Overflow

This module exploits a vulnerability in the 3Com 3CDaemon FTP service. This package is being distributed from the 3Com web site and is recommended in numerous support documents. This module uses the USER command to trigger the overflow. This module requires Metasploit:...

Nagios XI Scanner

The module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. Since Nagios XI applications only reveal the version to authenticated users, valid credentials for a Nagios XI account are required. Alternatively, it is possible to provide...

D-Link Central WiFi Manager CWM(100) RCE

This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM100 versions below v1.03R0100BETA6. The vulnerability exists in the username cookie, which is passed to eval without being sanitized. Dangerous functions are not disabled by default, which makes it possible ...

DOUBLEPULSAR Payload Execution and Neutralization

This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant...

OSX Meterpreter, Reverse HTTPS Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 815032 include...

Linux Meterpreter, Reverse TCP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1622448 include...

IBM Notes encodeURI DOS

This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes. If successful, it could cause the Notes client to hang and have to be restarted. This module requires Metasploit: https://metasploit.com/download Current source:...

Linux Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1271304 include...

Firefox nsSMILTimeContainer::NotifyTimeChange() RCE

This module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange across numerous versions of Mozilla Firefox on Microsoft Windows. This module requires Metasploit: https://metasploit.com/download Current source:...

DiskSavvy Enterprise GET Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP...

Internet Explorer 11 VBScript Engine Memory Corruption

This module exploits the memory corruption vulnerability CVE-2016-0189 present in the VBScript engine of Internet Explorer 11. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Internet Explorer ...

Nagios XI Chained Remote Code Execution

This module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in Nagios XI 'Nagios XI Chained Remote Code Execution', 'Description' = %q This module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in...

Generic JCL Test for Mainframe Exploits

Provide JCL which can be used to submit a job to JES2 on z/OS which will exit and return 0. This can be used as a template for other JCL based payloads This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This is a prototy...

D-Link DCS-931L File Upload

This module exploits a file upload vulnerability in D-Link DCS-931L network cameras. The setFileUpload functionality allows authenticated users to upload files to anywhere on the file system, allowing system files to be overwritten, resulting in execution of arbitrary commands. This module has be...

VNC Keyboard Remote Code Execution

This module exploits VNC servers by sending virtual keyboard keys and executing a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager payload is typed and executed. On Unix/Linux systems a xterm terminal is opened and a payload is typed and executed. This module...

Load Scripts Into PowerShell Session

This module will download and execute one or more PowerShell scripts over a present powershell session. Setting VERBOSE to true will show the stager results. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference

A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys can allow a local attacker to trigger a NULL pointer dereference by using a specially crafted IOCTL. This flaw can be abused to elevate privileges to SYSTEM. This module requires Metasploit: https://metasploit.com/download...

Windows Upload/Execute, Hidden Bind Ipknock TCP Stager

Uploads an executable and runs it staged. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appea...

Multi Gather DbVisualizer Connections Settings

DbVisualizer stores the user database configuration in dbvis.xml. This module retrieves the connections settings from this file and decrypts the encrypted passwords. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...