6846 matches found
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
This module exploits a buffer overflow vulnerability in the LoadAniIcon function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was...
WU-FTPD SITE EXEC/INDEX Format String Vulnerability
This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code. This module requires...
Guild FTPd 0.999.8.11/0.999.14 Heap Corruption
Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable to heap corruption. You need to have a valid login so you can run CWD and LIST. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Guild FTPd...
Windows Command Shell, Reverse TCP (via Ruby)
Connect back and create a command shell via Ruby This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 126 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Quick FTP Pro 2.1 Transfer-Mode Overflow
This module exploits a stack buffer overflow in the Quick TFTP Pro server product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting in a DoS. This is a port of a sploit by Mati "muts" Aharoni. This module requires Metasploit: https://metasploit.com/download Curre...
DATAC RealWin SCADA Server Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 Build 6.0.10.37. By sending a specially crafted FCINFOTAG/SETCONTROL packet, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download...
Linksys WRT54 Access Point apply.cgi Buffer Overflow
This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. According to iDefense who discovered this vulnerability, all WRT54G versions prior to 4.20.7 and all WRT54GS version prior to 1.05.2 may be affected. This module requires Metasploit:...
Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy
Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support Module Options msf use payload/windows/custom/reversehttpsproxy msf payloadreversehttpsproxy show actions ...actions... msf payloadreversehttpsproxy set ACTION msf payloadreversehttpsproxy show options...
Windows Command Shell, Encrypted Reverse TCP Stager
Spawn a piped command shell staged. Connect to MSF and read in stage Module Options msf use payload/windows/x64/encryptedshell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set options... msf...
PEAR Archive_Tar 1.4.10 Arbitrary File Write
This module takes advantages of ArchiveTar use exploit/multi/fileformat/archivetararbfilewrite msf exploitarchivetararbfilewrite show targets ...targets... msf exploitarchivetararbfilewrite set TARGET msf exploitarchivetararbfilewrite show options ...show and set options... msf...
OpenMediaVault rpc.php Authenticated PHP Code Injection
This module exploits an authenticated PHP code injection vulnerability found in openmediavault versions before 4.1.36 and 5.x versions before 5.5.12 inclusive in the "sortfield" POST parameter of the rpc.php page, because "jsonencodesafe" is not used in config/databasebackend.inc. Successful...
VyOS Gather Device General Information
This module collects VyOS device information and configuration. Module Options msf use post/networking/gather/enumvyos msf postenumvyos show actions ...actions... msf postenumvyos set ACTION msf postenumvyos show options ...show and set options... msf postenumvyos run This module requires...
Windows Inject PE Files, Hidden Bind Ipknock TCP Stager
Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...
OpenEMR 5.0.1 Patch 6 SQLi Dump
This module exploits a SQLi vulnerability found in OpenEMR version 5.0.1 Patch 6 and lower. The vulnerability allows the contents of the entire database with exception of log and task tables to be extracted. This module saves each table as a .csv file in your loot directory and has been tested wi...
Unix Command Shell, Pingback Bind TCP (via netcat)
Accept a connection, send a UUID, then exit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 103 include Msf::Payload::Single include Msf::Payload::Pingback include...
Cisco RV130W Routers Management Interface Remote Command Execution
A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based...
Total.js prior to 3.2.4 Directory Traversal
This module check and exploits a directory traversal vulnerability in Total.js prior to 3.2.4. Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv,...
Gather Available Shell Commands
This module will check which shell commands are available on a system." This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Gather Available Shell Commands', 'Description' = %q This module will che...
Hashicorp Consul Remote Command Execution via Services API
This module exploits Hashicorp Consul's services API to gain remote command execution on Consul nodes. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Hashicorp Consul Remote Command Execution...
Java JMX Server Insecure Endpoint Code Execution Scanner
Detect Java JMX endpoints This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/java/serialization' class MetasploitModule 'Java JMX Server Insecure Endpoint Code Execution Scanner', 'Description' = 'Detect Jav...
Wordpress Arbitrary File Deletion
An arbitrary file deletion vulnerability in the WordPress core allows any user with privileges of an Author to completely take over the WordPress site and to execute arbitrary code on the server. This module requires Metasploit: https://metasploit.com/download Current source:...
Flexense HTTP Server Denial Of Service
This module triggers a Denial of Service vulnerability in the Flexense HTTP server. Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values. Multiple Flexense applications that are using...
Unix Command Shell, Bind UDP (via socat)
Creates an interactive shell via socat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 70 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo...
Unix Command Shell, Reverse UDP (via socat)
Creates an interactive shell via socat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 87 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo...
pfSense authenticated group member RCE
pfSense, a free BSD based open source firewall distribution, version 'pfSense authenticated group member RCE', 'Description' = %q pfSense, a free BSD based open source firewall distribution, version 's4squatch', discovery 'h00die' module , 'References' = 'EDB', '43128' , 'URL',...
Unix Command Shell, Bind TCP (via R)
Continually listen for a connection and spawn a command shell via R This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 132 include Msf::Payload::Single include Msf::Payload::R include...
PlugX Controller Stack Buffer Overflow
This module exploits a stack buffer overflow in the PlugX Controller C2 server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' class MetasploitModule 'PlugX Controller Stack Buffer Overflow',...
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1213932 include...
GoAutoDial 3.3 Authentication Bypass / Command Injection
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command...
Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability
This module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers & Electricity Meters to perform arbitrary command execution as 'root'. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework cla...
Microsoft SQL Server Clr Stored Procedure Payload Execution
This module executes an arbitrary native payload on a Microsoft SQL server by loading a custom SQL CLR Assembly into the target SQL installation, and calling it directly with a base64-encoded payload. The module requires working credentials in order to connect directly to the MSSQL Server. This...
Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution
This module exploits a command injection vulnerability in the Trend Micro IMSVA product. An authenticated user can execute a terminal command under the context of the web server user which is root. Besides, default installation of IMSVA comes with a default administrator credentials. saveCert.ims...
Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow
Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This...
Hak5 WiFi Pineapple Preconfiguration Command Injection
This module exploits a command injection vulnerability on WiFi Pineapples version 2.0 'Hak5 WiFi Pineapple Preconfiguration Command Injection', 'Description' = %q This module exploits a command injection vulnerability on WiFi Pineapples version 2.0 = pineapple 2.4. We use a combination of default...
Trend Micro Smart Protection Server Exec Remote Code Injection
This module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection. Please note: authentication is required to exploit this vulnerability. This module requires Metasploit:...
Multi Manage File Compressor
This module zips a file or a directory. On Linux, it uses the zip command. On Windows, it will try to use remote target's 7Zip if found. If not, it falls back to its Windows Scripting Host. This module requires Metasploit: https://metasploit.com/download Current source:...
Redis Login Utility
This module attempts to authenticate to an Redis service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/redis' require 'metasploit/framework/credentialcollection' Metasploi...
BusyBox SMB Sharing
This module will be applied on a session connected to a BusyBox shell. It will modify the SMB configuration of the device executing BusyBox to share the root directory of the device. This module requires Metasploit: https://metasploit.com/download Current source:...
Python Meterpreter, Python Bind TCP Stager with UUID Support
Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...
Windows Interactive Powershell Session, Bind TCP
Interacts with a powershell session on an established socket connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/powershell' module MetasploitModule CachedSize = :dynamic include Msf::Payload::Sing...
Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure
This module tests vulnerable IIS HTTP header file paths on Microsoft Exchange OWA 2003 and CAS 2007, 2010, and 2013 servers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Outlook Web App OWA ...
Adobe Flash Player PCRE Regex Vulnerability
This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error in the PCRE engine, specifically in the handling of the \c escape sequence when followed by a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode. This module requires Metasploit:...
Brocade Enable Login Check Scanner
This module will test a range of Brocade network devices for a privileged logins and report successes. The device authentication mode must be set as 'aaa authentication enable default local'. Telnet authentication, e.g. 'enable telnet authentication', should not be enabled in the device...
Android Browser File Theft
This module steals the cookie, password, and autofill databases from the Browser application on AOSP 4.3 and below. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Browser File Theft',...
Windows Inject DLL, Hidden Bind Ipknock TCP Stager
Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will...
Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source:...
BMC TrackIt! Unauthenticated Arbitrary User Password Change
This module exploits a flaw in the password reset mechanism in BMC TrackIt! 11.3 and possibly prior versions. If the password reset service is configured to use a domain administrator which is the recommended configuration, then domain credentials can be reset such as domain Administrator. This...
Mac OS X IOKit Keyboard Driver Root Privilege Escalation
A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel pointers can also be leaked, allowing a full kASLR bypass. Tested on Mavericks 10.9.5, and should work on previous versions. The issue was...
UNIX Gather Remmina Credentials
Post module to obtain credentials saved for RDP and VNC from Remmina's configuration files. These are encrypted with 3DES using a 256-bit key generated by Remmina which is by design stored in relatively plain text in a file that must be properly protected. This module requires Metasploit:...
HP Data Protector EXEC_INTEGUTIL Remote Code Execution
This exploit abuses a vulnerability in the HP Data Protector. The vulnerability exists in the Backup client service, which listens by default on TCP/5555. The EXECINTEGUTIL request allows to execute arbitrary commands from a restricted directory. Since it includes a perl executable, it's possible...