Linux Gather NetworkManager 802-11-Wireless-Security Credentials

This module collects 802-11-Wireless-Security credentials such as Access-Point name and Pre-Shared-Key from Linux NetworkManager connection configuration files. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

D-Link HNAP Request Remote Buffer Overflow

This module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is due to a stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This module has been successfully tested on D-Link DIR-505 in an...

Ubee DDW3611b Cable Modem Wifi Enumeration

This module will extract WEP keys and WPA preshared keys from certain Ubee cable modems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ubee DDW3611b Cable Modem Wifi Enumeration', 'Descriptio...

Yokogawa CS3000 BKESimmgr.exe Buffer Overflow

This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the BKESimmgr.exe service when handling specially crafted packets, due to an insecure usage of memcpy, using attacker controlled data as the size count. This module has been tested successfully in...

F5 BIG-IP Backend Cookie Disclosure

This module identifies F5 BIG-IP load balancers and leaks backend information pool name, routed domain, and backend servers' IP addresses and ports through cookies inserted by the BIG-IP systems. This module requires Metasploit: https://metasploit.com/download Current source:...

Firefox Gather History from Privileged Javascript Shell

This module allows collection of the entire browser history from a Firefox Privileged Javascript Shell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'json' class MetasploitModule 'Firefox Gather History fro...

Linux Execute Command

A very small shellcode for executing commands. This module is sometimes helpful for testing purposes. -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 52 includ...

Linux Reboot

A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures. This module requires Metasploit: https://metasploit.com/download Current source:...

Firefox XPCOM Execute Command

This module runs a shell command on the target OS without touching the disk. On Windows, this command will flash the command prompt momentarily. This can be avoided by setting WSCRIPT to true, which drops a jscript "launcher" to disk that hides the prompt. This module requires Metasploit:...

Synology DiskStation Manager SLICEUPLOAD Remote Command Execution

This module exploits a vulnerability found in Synology DiskStation Manager DSM versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called...

Command Shell, Reverse TCP SSL (via nodejs)

Creates an interactive shell via nodejs, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 831 include Msf::Payload::Single include Msf::Payload::NodeJS include...

Unix Command Shell, Reverse TCP (via Zsh)

Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule...

Mutiny 5 Arbitrary File Upload

This module exploits a code execution flaw in the Mutiny 5 appliance. The EditDocument servlet provides a file upload function to authenticated users. A directory traversal vulnerability in the same functionality allows for arbitrary file upload, which results in arbitrary code execution with roo...

Linksys WRT54GL apply.cgi Command Execution

Some Linksys Routers are vulnerable to an authenticated OS command injection in the Web Interface. Default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping...

MongoDB nativeHelper.apply Remote Code Execution

This module exploits the nativeHelper feature from spiderMonkey which allows remote code execution by calling it with specially crafted arguments. This module has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze. This module requires Metasploit:...

Netgear SPH200D Directory Traversal Vulnerability

This module exploits a directory traversal vulnerability which is present in Netgear SPH200D Skype telephone. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Netgear SPH200D Directory Traversal...

IBM Lotus Notes Client URL Handler Command Injection

This module exploits a command injection vulnerability in the URL handler for for the IBM Lotus Notes Client "IBM Lotus Notes Client URL Handler Command Injection", 'Description' = %q This module exploits a command injection vulnerability in the URL handler for for the IBM Lotus Notes Client...

SAP /sap/bc/soap/rfc SOAP Service BAPI_USER_CREATE1 Function User Creation

This module makes use of the BAPIUSERCREATE1 function, through the SOAP /sap/bc/soap/rfc service, for creating/modifying users on a SAP. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on, inspire...

Oracle Weblogic Apache Connector POST Request Buffer Overflow

This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. The connector fails to properly handle specially crafted HTTP POST requests, resulting a buffer overflow due to the insecure usage of sprintf. Currently, this module works over Windows systems without DEP, and h...

PHP Command Shell, Bind TCP (via php) IPv6

Listen for a connection and spawn a command shell via php IPv6 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Php inclu...

HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution

This module allows remote attackers to place arbitrary files on a users file system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control HPTicketMgr.dll 2.7.2.0. Code execution can be achieved by first uploading the...

CoCSoft StreamDown 6.8.0 Buffer Overflow

Stream Down 6.8.0 seh based buffer overflow triggered when processing the server response packet. During the overflow a structured exception handler is overwritten. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...

Multi Manage System Remote TCP Shell Session

This module will create a Reverse TCP Shell on the target system using the system's own scripting environments installed on the target. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi...

Apple QuickTime PICT PnSize Buffer Overflow

This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Gather Product Key

This module will enumerate Microsoft product license keys. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Product Key', 'Description' = %q This module will enumerate Microsoft...

BNAT Router

This module will properly route BNAT traffic and allow for connections to be established to machines on ports which might not otherwise be accessible. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Windows Gather Hardware Enumeration

Enumerate PCI hardware information from the registry. Please note this script will run through registry subkeys such as: 'PCI', 'ACPI', 'ACPIHAL', 'FDC', 'HID', 'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW', and 'USB'; it will take time to finish. It is...

Iconics GENESIS32 Integer Overflow Version 9.21.201.01

The GenBroker service on port 38080 is affected by three integer overflow vulnerabilities while handling opcode 0x4b0, which is caused by abusing the the memory allocations needed for the number of elements passed by the client. This results unexpected behaviors such as direct registry calls,...

OS X Gather Mac OS X System Information Enumeration

This module gathers basic system information from Mac OS X Tiger 10.4, through Mojave 10.14. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OS X Gather Mac OS X System Information Enumeration'...

DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow

This module exploits a vulnerability found in DATAC Control International RealWin SCADA Server 2.1 and below. By supplying a specially crafted OnFCBINFILEFCSFILE packet via port 910, RealWin will try to create a file which would be saved to C:\Program Files\DATAC\Real Win\RW-version\filename by...

VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow

This module exploits an input validation error in libmodplugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable,...

MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow

This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to...

Windows Manage Local User Account Deletion

This module deletes a local user account from the specified server, or the local machine if no server is given. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Manage Local User Account...

SMB Domain User Enumeration

Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SMB Domain User Enumeration', 'Description' =...

Windows Gather Logged On User Enumeration (Registry)

This module will enumerate current and recently logged on Windows users. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Logged On User Enumeration Registry', 'Description' = %q...

Multi Gather Generic Operating System Environment Settings

This module prints out the operating system environment variables. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather Generic Operating System Environment Settings', 'Description' = %...

Cisco IOS HTTP Unauthorized Administrative Access

This module exploits a vulnerability in the Cisco IOS HTTP Server. By sending a GET request for "/level/num/exec/..", where num is between 16 and 99, it is possible to bypass authentication and obtain full system control. IOS 11.3 - 12.2 are reportedly vulnerable. This module tested successfully...

Trixbox langChoice PHP Local File Inclusion

This module injects php into the trixbox session file and then, in a second call, evaluates that code by manipulating the langChoice parameter as described in OSVDB-50421. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...

Oracle VM Server Virtual Server Agent Command Injection

This module exploits a command injection flaw within Oracle's VM Server Virtual Server Agent ovs-agent service. By including shell meta characters within the second parameter to the 'utltesturl' XML-RPC methodCall, an attacker can execute arbitrary commands. The service typically runs with root...

MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)

This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This modul...

Adobe Flash Player "newfunction" Invalid Pointer Use

This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash...

Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE

The module exploits an sql injection flaw in the DROPCHANGESOURCE procedure of the PL/SQL package DBMSCDCPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTECATALOGROLE have the required privilege. This module require...

Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop

This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC...

MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption

This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the "DataURL" parameter to this control, it is possible to write a NUL byte...

Microsoft IIS WebDAV Write Access Code Execution

This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request. The target IIS machine must meet these conditions to be considered as exploitable: It allows 'Script resource access', Read and Wri...

HTTP SOAP Verb/Noun Brute Force Scanner

This module attempts to brute force SOAP/XML requests to uncover hidden methods. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP SOAP Verb/Noun Brute Force Scanner', 'Description' = %q Thi...

Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include 'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun', 'Description' = %q This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include MSFLICENSE, 'Author'...

Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method credit Ramon and Adriano, which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher...

Unix Command Shell, Bind TCP (via Ruby)

Continually listen for a connection and spawn a command shell via Ruby This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 137 include Msf::Payload::Single include...

Facebook Photo Uploader 4 ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Facebook Photo Uploader 4. By sending an overly long string to the "ExtractIptc" property located in the ImageUploader4.ocx 4.5.57.0 Control, an attacker may be able to execute arbitrary code. This module requires Metasploit:...