Multi Gather DbVisualizer Connections Settings

DbVisualizer stores the user database configuration in dbvis.xml. This module retrieves the connections settings from this file and decrypts the encrypted passwords. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

MS13-097 Registry Symlink IE Sandbox Escape

This module exploits a vulnerability in Internet Explorer Sandbox which allows to escape the Enhanced Protected Mode and execute code with Medium Integrity. The vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll component, which can be abused to force medium...

Multiplatform WLAN Enumeration and Geolocation

Enumerate wireless networks visible to the target device. Optionally geolocate the target by gathering local wireless networks and performing a lookup against Google APIs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...

Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager

Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. This module requires Metasploit: https://metasploit.com/download Current source:...

Android Browser and WebView addJavascriptInterface Code Execution

This module exploits a privilege escalation issue in Android 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and...

Easy CD-DA Recorder PLS Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry. By persuading the victim to open a specially-crafted PLS file, a remote attacker can execute arbitrary code on the system or cause the application to cras...

Windows Gather SmarterMail Password Extraction

This module extracts and decrypts the sysadmin password in the SmarterMail 'mailConfig.xml' configuration file. The encryption key and IV are publicly known. This module has been tested successfully on SmarterMail versions 10.7.4842 and 11.7.5136. This module requires Metasploit:...

MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access

This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code user controlled it's possible to dereference arbitrary memo...

HP Intelligent Management SOM Account Creation

This module exploits a lack of authentication and access control in HP Intelligent Management, specifically in the AccountService RpcServiceServlet from the SOM component, in order to create a SOM account with Account Management permissions. This module has been tested successfully on HP...

Windows Command Shell, Bind TCP (via Lua)

Listen for a connection and spawn a command shell via Lua This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 218 include Msf::Payload::Single include Msf::Sessions::CommandShellOption...

Mac OS X Sudo Password Bypass

This module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges the user is in the sudoers file and is in the...

Oracle MySQL for Microsoft Windows FILE Privilege Abuse

This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers. This module abuses the FILE privilege to write a payload to Microsoft's All Users Start Up directory which will execute every time a user logs in. The default All Users Start Up...

IPMI 2.0 Cipher Zero Authentication Bypass Scanner

This module identifies IPMI 2.0-compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

CouchDB Login Utility

This module tests CouchDB logins on a range of machines and report successful logins. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CouchDB Login Utility', 'Description' = % This module tests...

D-Link DIR-300A / DIR-320 / DIR-615D HTTP Login Utility

This module attempts to authenticate to different D-Link HTTP management services. It has been tested on D-Link DIR-300 Hardware revision A, D-Link DIR-615 Hardware revision D and D-Link DIR-320 devices. It is possible that this module also works with other models. This module requires Metasploit...

Linux Gather PPTP VPN chap-secrets Credentials

This module collects PPTP VPN information such as client, server, password, and IP from your target server's chap-secrets file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linux Gather PPTP...

Java Applet Method Handle Remote Code Execution

This module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

JBoss JMX Console Beanshell Deployer WAR Upload and Deployment

This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment method. This module requires Metasploit: https://metasploit.com/download Current...

Novell ZENworks Asset Management 7.5 Remote File Access

This module exploits a hardcoded user and password for the GetFile maintenance task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to...

Linux Mettle x86, Reverse TCP Stager

Inject the mettle server payload staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework ReverseTcp ---------- Linux reverse TCP stager. module MetasploitModule CachedSize = 50 include...

MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability

This module exploits a vulnerability found in Microsoft Office's ClickOnce feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This can allow attackers to trick victims into...

PcAnywhere Login Scanner

This module will test pcAnywhere logins on a range of machines and report successful logins. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PcAnywhere Login Scanner', 'Description' = %q This...

PHP Command Shell, Bind TCP (via perl) IPv6

Listen for a connection and spawn a command shell via perl persistent over IPv6 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include...

Windows Gather Privileges Enumeration

This module will print if UAC is enabled, and if the current account is ADMIN enabled. It will also print UID, foreground SESSION ID, is SYSTEM status and current process PRIVILEGES. This module requires Metasploit: https://metasploit.com/download Current source:...

Multiple Linux / Unix Post Sudo Upgrade Shell

This module attempts to upgrade a shell account to UID 0 by reusing the given password and passing it to sudo. This technique relies on sudo versions from 2008 and later which support -A. This module requires Metasploit: https://metasploit.com/download Current source:...

TYPO3 Winstaller Default Encryption Keys

This module exploits known default encryption keys found in the TYPO3 Winstaller. This flaw allows for file disclosure in the jumpUrl mechanism. This issue can be used to read any file that the web server user account has access to view. The method used to create the juhash short MD5 hash was...

Windows Gather Credential Store Enumeration and Decryption Module

This module will enumerate the Microsoft Credential Store and decrypt the credentials. This module can only access credentials created by the user the process is running as. It cannot decrypt Domain Network Passwords, but will display the username and location. This module requires Metasploit:...

Windows Gather Credential Collector

This module harvests credentials found on the host and stores them in the database. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Credential Collector', 'Description' = %q This...

Black Ice Cover Page ActiveX Control Arbitrary File Download

This module allows remote attackers to place arbitrary files on a users file system by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX Control BIImgFrm.ocx 12.0.0.0. Code execution can be achieved by first uploading the payload to the remote machine, and then uploa...

Windows Escalate Locked Desktop Unlocker

This module unlocks a locked Windows desktop by patching the respective code inside the LSASS.exe process. This patching process can result in the target system hanging or even rebooting, so be careful when using this module on production systems. This module requires Metasploit:...

IPv6 Local Neighbor Discovery

Enumerate local IPv6 hosts which respond to Neighbor Solicitations with a link-local address. Note, that like ARP scanning, this usually cannot be performed beyond the local broadcast network. This module requires Metasploit: https://metasploit.com/download Current source:...

Java Statement.invoke() Trusted Method Chain Privilege Escalation

This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. This module requires Metasploit: https://metasploit.com/download Current source...

UltraISO CCD File Parsing Buffer Overflow

This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CCD files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to...

PHP Executable Download and Execute

Download an EXE from an HTTP URL and execute it This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Php include Msf::Payload::Single def initializeinfo =...

FTP File Server

This module provides a FTP service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FTP File Server', 'Description' = %q This module provides a FTP service , 'Author' = 'hdm', 'License' =...

PHP Execute Command

Execute a single system command This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Php def initializeinfo =...

Windows Command Shell, Bind TCP (via Perl)

Listen for a connection and spawn a command shell via perl persistent This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 139 include Msf::Payload::Single include...

Veritas Backup Exec Server Registry Access

This modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based on the NDR stub information posted to openrce.org. Please see the action list for the different attack modes. This module requires...

MaxDB WebDBM Database Parameter Overflow

This module exploits a stack buffer overflow in the MaxDB WebDBM service. By sending a specially-crafted HTTP request that contains an overly long database name. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the wahttp process. This module h...

Unix Command Shell, Bind TCP (inetd)

Listen for a connection and spawn a command shell persistent This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 487 include Msf::Payload::Single include...

Jira Users Enumeration

This module exploits an information disclosure vulnerability that allows an unauthenticated user to enumerate users in the /ViewUserHover.jspa endpoint. This only affects Jira versions use auxiliary/scanner/http/jirauserenum msf auxiliaryjirauserenum show actions ...actions... msf...

MaraCMS Arbitrary PHP File Upload

This module exploits an arbitrary file upload vulnerability in MaraCMS 7.5 and prior in order to execute arbitrary commands. The module first attempts to authenticate to MaraCMS. It then tries to upload a malicious PHP file to the web root via an HTTP POST request to codebase/handler.php. If the...

GOG GalaxyClientService Privilege Escalation

This module will send arbitrary filepaths to the GOG GalaxyClientService, which will be executed with SYSTEM privileges verified on GOG Galaxy Client v1.2.62 and v2.0.12; prior versions are also likely affected. This module requires Metasploit: https://metasploit.com/download Current source:...

Install Python for Windows

This module places an embeddable Python3 distribution onto the target file system, granting pentesters access to a lightweight Python interpreter. This module does not require administrative privileges or user interaction with installation prompts. This module requires Metasploit:...

FusionPBX Operator Panel exec.php Command Execution

This module exploits an authenticated command injection vulnerability in FusionPBX versions 4.4.3 and prior. The exec.php file within the Operator Panel permits users with operatorpanelview permissions, or administrator permissions, to execute arbitrary commands as the web server user by sending ...

Nostromo Directory Traversal Remote Command Execution

This module exploits a remote command execution vulnerability in Nostromo 'Nostromo Directory Traversal Remote Command Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Nostromo 'Quentin Kaiser ', metasploit module 'sp0re', original public exploit ,...

Unitronics PCOM remote START/STOP/RESET command

Unitronics Vision PLCs allow remote administrative functions to control the PLC using authenticated PCOM commands. This module supports START, STOP and RESET operations. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Unitronics PCOM Client

Unitronics Vision PLCs allow unauthenticated PCOM commands to query PLC registers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Unitronics PCOM Client', 'Description' = %q Unitronics Vision...

Morris Worm sendmail Debug Mode Shell Escape

This module exploits sendmail's well-known historical debug mode to escape to a shell and execute commands in the SMTP RCPT TO command. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg. Currently, only...

Apple_iOS Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 643824 include...