Create an AWS IAM User

This module will attempt to create an AWS Amazon Web Services IAM Identity and Access Management user with Admin privileges. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/aws/client'...

Metasploit Web UI Static secret_key_base Value

This module exploits the Web UI for Metasploit Community, Express and Pro where one of a certain set of Weekly Releases have been applied. These Weekly Releases introduced a static secretkeybase value. Knowledge of the static secretkeybase value allows for deserialization of a crafted Ruby Object...

Apache Continuum Arbitrary Command Execution

This module exploits a command injection in Apache Continuum 'Apache Continuum Arbitrary Command Execution', 'Description' = %q This module exploits a command injection in Apache Continuum 'David Shanahan', Proof of concept 'wvu' Metasploit module , 'References' = %wEDB 39886 , 'DisclosureDate' =...

ATutor 2.2.1 SQL Injection / Remote Code Execution

This module exploits a SQL Injection vulnerability and an authentication weakness vulnerability in ATutor. This essentially means an attacker can bypass authentication and reach the administrator's interface where they can upload malicious code. This module requires Metasploit:...

IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service

This module exploits a denial of service condition present in IBM Tivoli Storage Manager FastBack Server when dealing with packets triggering the opcode 0x534 handler. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

BusyBox Jailbreak

This module will send a set of commands to an open session that is connected to a BusyBox limited shell i.e. a router limited shell. It will try different known tricks to jailbreak the limited shell and get a full BusyBox shell. This module requires Metasploit: https://metasploit.com/download...

WordPress All-in-One Migration Export

This module allows you to export Wordpress data such as the database, plugins, themes, uploaded files, etc via the All-in-One Migration plugin without authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Endian Firewall Proxy Password Change Command Injection

This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had...

Adobe Flash Player Drawing Fill Shader Memory Corruption

This module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This module has been tested successfully on: Windows 7 SP1 32-bit, IE11 and Adobe Flash 17.0.0.188, Windows 7 SP1 32-bit, Firefox 38.0.5 and Adobe Flash 17.0.0.188,...

F5 BigIP HTTP Virtual Server Scanner

This module scans for BigIP HTTP virtual servers using banner grabbing. BigIP system uses different HTTP profiles for managing HTTP traffic and these profiles allow to customize the string used as Server HTTP header. The default values are "BigIP" or "BIG-IP" depending on the BigIP system version...

Realtek SDK Miniigd UPnP SOAP Command Execution

Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested successfully on a Trendnet TEW-731BR...

Wordpress Reflex Gallery Upload Vulnerability

This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

BSD x64 Shell Reverse TCP

Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 98 include Msf::Payload::Single include Msf::Payload::Bsd include...

Adobe Flash Player copyPixelsToByteArray Method Integer Overflow

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This...

Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager

Inject the meterpreter server DLL staged. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appea...

Jenkins-CI Login Utility

This module attempts to login to a Jenkins-CI instance using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...

Phpwiki Ploticus Remote Code Execution

The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via command injection. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Phpwiki Ploticus Remote Code...

GDB Server Remote Payload Execution

This module attempts to execute an arbitrary payload on a loose gdbserver service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'GDB Server Remote Payload Execution', 'Description' = %q This...

HTTP Header Detection

This module shows HTTP Headers returned by the scanned systems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Header Detection', 'Description' = %q This module shows HTTP Headers returne...

The EICAR Encoder

This encoder merely replaces the given payload with the EICAR test string. Note, this is sure to ruin your payload. Any content-aware firewall, proxy, IDS, or IPS that follows anti-virus standards should alert and do what it would normally do when malware is transmitted across the wire. This modu...

KingScada kxClientDownload.ocx ActiveX Remote Code Execution

This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada. The ProjectURL property can be abused to download and load arbitrary DLLs from arbitrary locations, leading to arbitrary code execution, because of a dangerous usage of LoadLibrary. Due to the natu...

Command Shell, Reverse TCP (via Firefox XPCOM script)

Creates an interactive shell via Javascript with access to Firefox's XPCOM API This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include...

Windows Gather Active Directory Computers

This module will enumerate computers in the default AD directory. Optional Attributes to use in ATTRIBS: objectClass, cn, description, distinguishedName, instanceType, whenCreated, whenChanged, uSNCreated, uSNChanged, name, objectGUID, userAccountControl, badPwdCount, codePage, countryCode,...

HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload

This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to...

Linux Command Shell, Bind TCP Random Port Inline

Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 57...

Firefox onreadystatechange Event DocumentViewerImpl Use After Free

This module exploits a vulnerability found on Firefox 17.0.6, specifically a use after free of a DocumentViewerImpl object, triggered via a specially crafted web page using onreadystatechange events and the window.stop API, as exploited in the wild on 2013 August to target Tor Browser users. This...

Gather eCryptfs Metadata

This module will collect the contents of all users' .ecrypts directories on the targeted machine. Collected "wrapped-passphrase" files can be cracked with John the Ripper JtR to recover "mount passphrases". This module requires Metasploit: https://metasploit.com/download Current source:...

Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within...

Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment

This module exploits a mass assignment vulnerability in the 'create' action of 'users' controller of Foreman and Red Hat OpenStack/Satellite Foreman 1.2.0-RC1 and earlier by creating an arbitrary administrator account. For this exploit to work, your account must have 'createusers' permission e.g....

Novell Zenworks Mobile Device Management Admin Credentials

This module attempts to pull the administrator credentials from a vulnerable Novell Zenworks MDM server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Novell Zenworks Mobile Device Management...

Novell ZENworks Configuration Management Remote Execution

This module exploits a code execution flaw in Novell ZENworks Configuration Management 10 SP3 and 11 SP2. The vulnerability exists in the ZENworks Control Center application, allowing an unauthenticated attacker to upload a malicious file outside of the TEMP directory and then make a second reque...

Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service

This module sends a specially-crafted SSH Key Exchange causing the service to crash. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service'...

Honeywell HSC Remote Deployer ActiveX Remote Code Execution

This module exploits a vulnerability found in the Honeywell HSC Remote Deployer ActiveX. This control can be abused by using the LaunchInstaller function to execute an arbitrary HTA from a remote location. This module has been tested successfully with the HSC Remote Deployer ActiveX installed wit...

Java Applet AverageRangeStatisticImpl Remote Code Execution

This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier. This module requires Metasploit:...

POP3 Login Utility

This module attempts to authenticate to an POP3 service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/pop3' require 'metasploit/framework/credentialcollection' class...

TWiki MAKETEXT Remote Command Execution

This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since user input is passed to the Perl "eval" command without first being sanitized. The problem is caused by an underlying security issue in the...

Network Shutdown Module (sort_values) Remote PHP Code Injection

This module exploits a vulnerability in Eaton Network Shutdown Module version 'Network Shutdown Module sortvalues Remote PHP Code Injection', 'Description' = %q This module exploits a vulnerability in Eaton Network Shutdown Module version 'h0ng10', original discovery, msf module 'sinn3r' PhpEXE s...

Novell ZENworks Asset Management 7.5 Configuration Access

This module exploits a hardcoded user and password for the GetConfig maintenance task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to...

UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow

This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for...

7-Technologies IGSS 9 IGSSdataServer.exe DoS

The 7-Technologies SCADA IGSS Data Server IGSSdataServer.exe '7-Technologies IGSS 9 IGSSdataServer.exe DoS', 'Description' = %q The 7-Technologies SCADA IGSS Data Server IGSSdataServer.exe 'jfa', Metasploit module , 'License' = MSFLICENSE, 'References' = 'CVE', '2011-4050' , 'OSVDB', '77976' ,...

Unix Command Shell, Bind TCP (via Ruby) IPv6

Continually listen for a connection and spawn a command shell via Ruby This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 142 include Msf::Payload::Single include...

Multi Gather DNS Forward Lookup Bruteforce

Brute force subdomains and hostnames via wordlist. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather DNS Forward Lookup Bruteforce', 'Description' = %q Brute force subdomains and...

Windows Gather Internet Explorer User Data Enumeration

This module will collect history, cookies, and credentials from either HTTP auth passwords, or saved form passwords found in auto-complete in Internet Explorer. The ability to gather credentials is only supported for versions of IE =7, while history and cookies can be extracted for all versions...

RealNetworks Realplayer QCP Parsing Heap Overflow

This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute...

Windows Gather Process Memory Grep

This module allows for searching the memory space of a process for potentially sensitive data. Please note: When the HEAP option is enabled, the module will have to migrate to the process you are grepping, and will not migrate back automatically. This means that if the user terminates the...

HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code. Please note that this module only works against a specific build i.e. NNM...

Wireshark CLDAP Dissector DOS

This module causes infinite recursion to occur within the CLDAP dissector by sending a specially crafted UDP packet. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Wireshark CLDAP Dissector...

Java Signed Applet Social Engineering Code Execution

This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs the it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victim's JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will...

Cisco IOS SNMP Configuration Grabber (TFTP)

This module will download the startup or running configuration from a Cisco IOS device using SNMP and TFTP. A read-write SNMP community is required. The SNMP community scanner module can assist in identifying a read-write community. The target must be able to connect back to the Metasploit system...

Metasploit Web Crawler

This auxiliary module is a modular web crawler, to be used in conjunction with wmap someday or standalone. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Web Crawler. Author: Efrain Torres et at metasploit.com 2010...