Wyse Rapport Hagent Fake Hserver Command Execution

This module exploits the Wyse Rapport Hagent service by pretending to be a legitimate server. This process involves starting both HTTP and FTP services on the attacker side, then contacting the Hagent service of the target and indicating that an update is available. The target will then download...

Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE

This module exploits a sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...

Unix Command Shell, Reverse TCP (via Ruby)

Connect back and create a command shell via Ruby This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 133 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...

Linux Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 184 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...

BolinTech Dream FTP Server 1.02 Format String

This module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'BolinTech Dream F...

MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow

MailEnable's IMAP server contains a buffer overflow vulnerability in the Login command. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MailEnable IMAPD 2.34/2.35 Login Request Buffer Overflow'...

Icecast Header Overwrite

This module exploits a buffer overflow in the header parsing of icecast versions 2.0.1 and earlier, discovered by Luigi Auriemma. Sending 32 HTTP headers will cause a write one past the end of a pointer array. On win32 this happens to overwrite the saved instruction pointer, and on linux dependin...

AppleFileServer LoginExt PathName Overflow

This module exploits a stack buffer overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit use...

GlobalSCAPE Secure FTP Server Input Overflow

This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account or anonymous access is required for this exploit to work. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows shellcode stage, Reverse Hop HTTP/HTTPS Stager

Custom shellcode stage. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. Module Options msf use payload/windows/custom/reversehophttp msf payloadreversehophttp show actions ...actions... msf...

Pi-Hole Remove Commands Linux Priv Esc

Pi-Hole versions 3.0 - 5.3 allows for command line input to the removecustomcname, removecustomdns, and removestaticdhcp functions without properly validating the parameters before passing to sed. When executed as the www-data user, this allows for a privilege escalation to root since www-data is...

Jenkins CLI Deserialization

An unauthenticated Java object deserialization vulnerability exists in the CLI component for Jenkins versions v2.56 and below. The readFrom method within the Command class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data...

Baldr Botnet Panel Shell Upload Exploit

This module exploits an arbitrary file upload vulnerability within the Baldr stealer malware control panel when uploading victim log files which are uploaded as ZIP files. Attackers can turn this vulnerability into an RCE by first registering a new bot to the panel and then uploading a ZIP file...

openSIS Unauthenticated PHP Code Execution

This module exploits multiple vulnerabilities in openSIS 7.4 and prior versions which could be abused by unauthenticated attackers to execute arbitrary PHP code with the permissions of the webserver. The exploit chain abuses an incorrect access control issue which allows access to scripts which...

Barco WePresent file_transfer.cgi Command Injection

This module exploits an unauthenticated remote command injection vulnerability found in Barco WePresent and related OEM'ed products. The vulnerability is triggered via an HTTP POST request to the filetransfer.cgi endpoint. This module requires Metasploit: https://metasploit.com/download Current...

AIS logistics ESEL-Server Unauth SQL Injection RCE

This module will execute an arbitrary payload on an "ESEL" server used by the AIS logistic software. The server typically listens on port 5099 without TLS. There could also be server listening on 5100 with TLS but the port 5099 is usually always open. The login process is vulnerable to an SQL...

Navigate CMS Unauthenticated Remote Code Execution

This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigateupload.php that allows authenticated users to upload PHP files to arbitrary locations...

CMS Made Simple Authenticated RCE via File Upload/Copy

CMS Made Simple allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory. This module has been successfully tested on CMS Made Simple versions 2.2.5 and 2.2.7. This module...

Linux Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1516524 include...

WebKitGTK+ WebKitFaviconDatabase DoS

This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it could lead to application crash, resulting in denial of service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Cambium cnPilot r200/r201 Login Scanner and Config Dump

This module scans for Cambium cnPilot r200/r201 management login portals, attempts to identify valid credentials, and dump device configuration. The device has at least two 2 users - admin and user. Due to an access control vulnerability, it is possible for 'user' account to access full device...

Polycom Shell HDX Series Traceroute Command Execution

Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. This module requires Metasploit: https://metasploit.com/download Current source:...

Linux Meterpreter, Reverse TCP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1166612 include...

Linux Meterpreter, Reverse HTTPS Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1068952 include...

Linux Meterpreter, Reverse TCP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1213932 include...

Linux Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1238560 include...

Linux Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1137332 include...

ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure

This module exploits a directory traversal vulnerability found in ColoradoFTP server version 'ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure', 'Description' = %q This module exploits a directory traversal vulnerability found in ColoradoFTP server version 'win', 'Author'...

Ruby on Rails ActionPack Inline ERB Code Execution

This module exploits a remote code execution vulnerability in the inline request processor of the Ruby on Rails ActionPack component. This vulnerability allows an attacker to process ERB to the inline JSON processor, which is then rendered, permitting full RCE within the runtime, without logging ...

BisonWare BisonFTP Server Buffer Overflow

BisonWare BisonFTP Server 3.5 is prone to an overflow condition. This module exploits a buffer overflow vulnerability in the said application. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

OpenVPN Gather Credentials

This module grab OpenVPN credentials from a running process in Linux. Note: --auth-nocache must not be set in the OpenVPN command line. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenVPN...

PHP Meterpreter, Reverse TCP Inline

Connect back to attacker and spawn a Meterpreter server PHP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 34928 include Msf::Payload::Single include Msf::Payload::Php::ReverseTcp...

Adobe Flash Player NetConnection Type Confusion

This module exploits a type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and ultimately accomplish remote code...

Android Screen Capture

This module takes a screenshot of the target phone. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Screen Capture', 'Description' = %q This module takes a screenshot of the target phon...

IPass Control Pipe Remote Command Execution

This module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused to force the service to load a DLL from a SMB share. This module requires Metasploit: https://metasploit.com/download...

Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution

This module exploits a vulnerability in the update functionality of Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes Anti-Exploit consumer 1.03.1.1220. Due to the lack of proper update package validation, a man-in-the-middle MITM attacker could execute arbitrary code by spoofing t...

ActualAnalyzer 'ant' Cookie Command Execution

This module exploits a command execution vulnerability in ActualAnalyzer version 2.81 and prior. The 'aa.php' file allows unauthenticated users to execute arbitrary commands in the 'ant' cookie. This module requires Metasploit: https://metasploit.com/download Current source:...

GE Proficy CIMPLICITY gefebt.exe Remote Code Execution

This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in shared resources. An attacker can abuse this behavior to execute a malicious BCL and drop an arbitrary EXE. The last o...

Firefox XSS

This module runs the provided SCRIPT as javascript in the origin of the provided URL. It works by navigating to a hidden ChromeWindow to the URL, then injecting the SCRIPT with Function. The callback "sendresult" is used to send data back to the listener. This module requires Metasploit:...

Zimbra Collaboration Server LFI

This module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen credentials allow the attacker to make requests to the service/admin/soap API. This can then be used to create an...

Supermicro Onboard IPMI close_window.cgi Buffer Overflow

This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web interface. The vulnerability exists on the closewindow.cgi CGI application, and is due to the insecure usage of strcpy. In order to get a session, the module will execute system from libc with an arbitrary CMD...

Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection

This module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite Foreman 1.2.0-RC1 and earlier. This module requires Metasploit: https://metasploit.com/download Current source:...

D-Link DSL 320B Password Extractor

This module exploits an authentication bypass vulnerability in D-Link DSL 320B 'D-Link DSL 320B Password Extractor', 'Description' = %q This module exploits an authentication bypass vulnerability in D-Link DSL 320B 'EDB', '25252' , 'OSVDB', '93013' , 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ...

Unix Command Shell, Bind TCP (via netcat -e)

Listen for a connection and spawn a command shell via netcat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 24 include Msf::Payload::Single include...

Unix Command Shell, Reverse TCP SSL (via php)

Creates an interactive shell via php, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 279 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...

Windows Gather Razer Synapse Password Extraction

This module will enumerate passwords stored by the Razer Synapse client. The encryption key and iv is publicly known. This module will not only extract encrypted password but will also decrypt password using public key. Affects versions earlier than 1.7.15. This module requires Metasploit:...

IBM Cognos tm1admsd.exe Overflow

This module exploits a stack buffer overflow in IBM Cognos Analytic Server Admin service. The vulnerability exists in the tm1admsd.exe component, due to a dangerous copy of user controlled data to the stack, via memcpy, without validating the supplied length and data. The module has been tested...

OS X x64 Shell Bind TCP

Bind an arbitrary command to an arbitrary port This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 136 include Msf::Payload::Single include Msf::Payload::Osx include...

Hastymail 2.1.1 RC1 Command Injection

This module exploits a command injection vulnerability found in Hastymail 2.1.1 RC1 due to the insecure usage of the calluserfuncarray function on the "lib/ajaxfunctions.php" script. Authentication is required on Hastymail in order to exploit the vulnerability. The module has been successfully...

Novell ZENworks Configuration Management Preboot Service Remote File Access

This module exploits a directory traversal in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted PROXYCMDFTPFILE opcode 0x21 packet to the 998/TCP port. This module has been successfully tested on Novell...