6846 matches found
Accellion FTA 'statecode' Cookie Arbitrary File Read
This module exploits a file disclosure vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'statecode' cookie parameter is appended to a file path that is processed as a HTML template. By prepending this cookie with directory traversal...
BSD x64 Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 81 include Msf::Payload::Single include Msf::Payload::Bsd include...
HP Client Automation Command Injection
This module exploits a command injection vulnerability on HP Client Automation, distributed actually as Persistent Systems Client Automation. The vulnerability exists in the Notify Daemon radexecd.exe, which doesn't authenticate execution requests by default. This module has been tested...
Chromecast Web Server Scanner
This module scans for the Chromecast web server on port 8008/TCP, and can be used to discover devices which can be targeted by other Chromecast modules, such as chromecastyoutube. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Manage PXE Exploit Server
This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing a payload to install metsvc, disable the firewall, and add a new user metasploit on any Windows partition seen, and add a uid...
Huawei Datacard Information Disclosure Vulnerability
This module exploits an unauthenticated information disclosure vulnerability in Huawei SOHO routers. The module will gather information by accessing the /api pages where authentication is not required, allowing configuration changes as well as information disclosure, including any stored SMS. Thi...
Python Meterpreter, Python Reverse HTTP Stager
Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...
Multi Manage DbVisualizer Add Db Admin
Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases With GUI. The remote database can be accessed from the command line without the need to authenticate, which can be abused to create an administrator in the database with the proper database permissions. Note:...
D-Link Unauthenticated Remote Command Execution using UPnP via a special crafted M-SEARCH packet.
A command injection vulnerability exists in multiple D-Link network products, allowing an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet. Universal Plug and Play UPnP, by default is enabled in most D-Link devices, on the port 1900. An attacker can perform a remote...
HTTP Header Detection
This module shows HTTP Headers returned by the scanned systems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Header Detection', 'Description' = %q This module shows HTTP Headers returne...
JBoss Status Servlet Information Gathering
This module queries the JBoss status servlet to collect sensitive information, including URL paths, GET parameters and client IP addresses. This module has been tested against JBoss 4.0, 4.2.2 and 4.2.3. This module requires Metasploit: https://metasploit.com/download Current source:...
Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow
This module abuses a buffer overflow vulnerability to trigger a Denial of Service of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability exists in the handling of malformed log packets, with an unexpected long level field. The root cause of the vulnerability is a...
vBulletin Administrator Account Creation
This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This module has been tested successfully on vBulletin 4.1.5 and 4.1.0. This module requires Metasploit: https://metasploit.com/downloa...
Chasys Draw IES Buffer Overflow
This module exploits a buffer overflow vulnerability found in Chasys Draw IES version 4.10.01. The vulnerability exists in the module fltBMP.dll, while parsing BMP files, where the ReadFile function is used to store user provided data on the stack in an insecure way. It results in arbitrary code...
Gather eCryptfs Metadata
This module will collect the contents of all users' .ecrypts directories on the targeted machine. Collected "wrapped-passphrase" files can be cracked with John the Ripper JtR to recover "mount passphrases". This module requires Metasploit: https://metasploit.com/download Current source:...
Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment
This module exploits a mass assignment vulnerability in the 'create' action of 'users' controller of Foreman and Red Hat OpenStack/Satellite Foreman 1.2.0-RC1 and earlier by creating an arbitrary administrator account. For this exploit to work, your account must have 'createusers' permission e.g....
Java Applet Driver Manager Privileged toString() Remote Code Execution
This module abuses the java.sql.DriverManager class where the toString method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file...
Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability
This module exercises a vulnerability in Novel Zenworks Mobile Management's Mobile Device Management component which can allow unauthenticated remote code execution. Due to a flaw in the MDM.php script's input validation, remote attackers can both upload and execute code via a directory traversal...
HP Intelligent Management Center Arbitrary File Upload
This module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated file uploads and handling zip contents in an insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file...
Mutiny Remote Command Execution
This module exploits an authenticated command injection vulnerability in the Mutiny appliance. Versions prior to 4.5-1.12 are vulnerable. In order to exploit the vulnerability the mutiny user must have access to the admin interface. The injected commands are executed with root privileges. This...
Ruby Command Shell, Reverse TCP SSL
Connect back and create a command shell via Ruby, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 444 include Msf::Payload::Single include Msf::Payload::Ruby include...
Windows Gather Service Info Enumeration
This module will query the system for services and display name and configuration info for each returned service. It allows you to optionally search the credentials, path, or start type for a string and only return the results that match. These query operations are cumulative and if no query...
HP Intelligent Management Center UAM Buffer Overflow
This module exploits a remote buffer overflow in HP Intelligent Management Center UAM. The vulnerability exists in the uam.exe component, when using sprint in a insecure way for logging purposes. The vulnerability can be triggered by sending a malformed packet to the 1811/UDP port. The module has...
Novell File Reporter Agent Arbitrary File Delete
NFRAgent.exe in Novell File Reporter allows remote attackers to delete arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and CMD set to 5 against /FSF/CMD. This module has been tested successfully on NFR Agent 1.0.4.3 File Reporter 1.0.2 and NFR Agent 1.0.3.22 File...
Adobe Flash Player AVM Verification Logic Array Indexing Code Execution
This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JITJust-In-Time code being executed. This is the same vulnerability that was used for attacks against...
TFTP File Transfer Utility
This module will transfer a file to or from a remote TFTP server. Note that the target must be able to connect back to the Metasploit system, and NAT traversal for TFTP is often unsupported. Two actions are supported: "Upload" and "Download," which behave as one might expect -- use 'set action...
Oracle iSQL*Plus Login Utility
This module attempts to authenticate against an Oracle ISQLPlus administration web site using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE. This module does not require a valid SID, but if one is defined, it will be used. Works against Oracle 9.2, 10.1 ...
Windows Gather SNMP Settings
This module will enumerate the SNMP service configuration. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather SNMP Settings', 'Description' = %q This module will enumerate the SNMP...
Sun Java Web Start Plugin Command Line Argument Injection
This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as...
LPRng use_syslog Remote Format String Vulnerability
This module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as "7.0-respin". Th...
Vermillion FTP Daemon PORT Command Memory Corruption
This module exploits an out-of-bounds array access in the Arcane Software Vermillion FTP server. By sending a specially crafted FTP PORT command, an attacker can corrupt stack memory and execute arbitrary code. This particular issue is caused by processing data bound by attacker controlled input...
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service. By sending a "ping" packet containing a long string, an attacker can execute arbitrary code. NOTE: the dsmcad.exe service must be in a particular state CadWaitingStatus = 1 in order for the...
Racer v0.5.3 Beta 5 Buffer Overflow
This module exploits the Racer Car and Racing Simulator game versions v0.5.3 beta 5 and earlier. Both the client and server listen on UDP port 26000. By sending an overly long buffer we are able to execute arbitrary code remotely. This module requires Metasploit: https://metasploit.com/download...
FreeBSD Remote NFS RPC Request Denial of Service
This module sends a specially-crafted NFS Mount request causing a kernel panic on host running FreeBSD 6.0. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FreeBSD Remote NFS RPC Request Denial...
eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in eDirectory 8.7.3 iMonitor service. This vulnerability was discovered by Peter Winter-Smith of NGSSoftware. NOTE: repeated exploitation attempts may cause eDirectory to crash. It does not restart automatically in a default installation. This module...
Windows shellcode stage, Hidden Bind Ipknock TCP Stager
Custom shellcode stage. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appear as "closed," thu...
Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
This module exploits an OS command injection vulnerability in includes/components/nxti/index.php that enables an authenticated user with admin privileges to achieve remote code execution as the apache user. The module uploads a simple PHP shell via includes/components/nxti/index.php to...
Micro Focus Operations Bridge Manager / Reporter Local Privilege Escalation
This module exploits an incorrectly permissioned folder in Micro Focus Operations Bridge Manager and Operations Bridge Reporter. An unprivileged user such as Guest can drop a JSP file in an exploded WAR directory and then access it without authentication by making a request to the OBM / OBR serve...
Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection
This module exploits an authenticated command injection vulnerability in Artica Proxy, combined with an authentication bypass discovered on the same version, it is possible to trigger the vulnerability without knowing the credentials. The application runs in virtual appliance, successful...
Diamorphine Rootkit Signal Privilege Escalation
This module uses Diamorphine rootkit's privesc feature using signal 64 to elevate the privileges of arbitrary processes to UID 0 root. This module has been tested successfully with Diamorphine from master branch 2019-10-04 on Linux Mint 19 kernel 4.15.0-20-generic x64. This module requires...
Pulse Secure VPN Arbitrary Command Execution
This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env1 command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulsesecurefiledisclosure for a pre-auth file read that...
ThinVNC Directory Traversal
This module exploits a directory traversal vulnerability in ThinVNC versions 1.0b1 and prior which allows unauthenticated users to retrieve arbitrary files, including the ThinVNC configuration file. This module has been tested successfully on ThinVNC versions 1.0b1 and "ThinVNCLatest" 2018-12-07...
Webmin password_change.cgi Backdoor
This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project's site. Unknown attackers inserted Perl qx statements into the build server's source code on two separate occasions: onc...
Ruby Pingback, Reverse TCP
Connect back to the attacker, sends a UUID, then terminates module MetasploitModule CachedSize = 100 include Msf::Payload::Single include Msf::Payload::Ruby include Msf::Payload::Pingback include Msf::Payload::Pingback::Options def initializeinfo = supermergeinfoinfo, 'Name' = 'Ruby Pingback,...
Password Cracker: Databases
This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from the mssqlhashdump, mysqlhashdump, postgreshashdump, or oraclehashdump modules. Passwords that have been successfully cracked are then saved as proper credentials. Due to the complexity of some of t...
Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability
This module exploits a vulnerability in Ruby on Rails. In development mode, a Rails application would use its name as the secretkeybase, and can be easily extracted by visiting an invalid resource for a path. As a result, this allows a remote user to create and deliver a signed serialized payload...
Spring Cloud Config Server Directory Traversal
This module exploits an unauthenticated directory traversal vulnerability which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6. Spring Cloud Config listens by default on port 8888. This module requires Metasploit:...
HP Intelligent Management Java Deserialization RCE
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebDMDebugServlet, which listens on TCP...
Solaris srsexec Arbitrary File Reader
This module exploits a vulnerability in NetCommander 3.2.3 and 3.2.5. When srsexec is executed in debug -d verbose -v mode, the first line of an arbitrary file can be read due to the suid bit set. The most widely accepted exploitation vector is reading /etc/shadow, which will reveal root's hash f...
Bash Brace Expansion Command Encoder
This encoder uses brace expansion in Bash and other shells to avoid whitespace without being overly fancy. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Bash Brace Expansion Command Encoder',...