6846 matches found
vBSEO proc_deutf() Remote PHP Code Injection
This module exploits a vulnerability in the 'procdeutf' function defined in /includes/functionsvbseocpabstract.php for vBSEO versions 3.6.0 and earlier. User input passed through 'charrepl' POST parameter isn't properly sanitized before being used in a call to pregreplace function which uses the...
Sybase Easerver 6.3 Directory Traversal
This module exploits a directory traversal vulnerability found in Sybase EAserver's Jetty webserver on port 8000. Code execution seems unlikely with EAserver's default configuration unless the web server allows WRITE permission. This module requires Metasploit: https://metasploit.com/download...
Cross Platform Webkit File Dropper
This module exploits a XSLT vulnerability in Webkit to drop ASCII or UTF-8 files to the target file-system. By default, the file will be dropped in C:\Program Files\ This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework cla...
Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS
The Beckhoff TwinCAT version 'Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS', 'Description' = %q The Beckhoff TwinCAT version 'Luigi Auriemma', Public exploit 'jfa', Metasploit module , 'License' = MSFLICENSE, 'References' = 'CVE', '2011-3486' , 'OSVDB', '75495' , 'URL',...
Java Meterpreter, Java Reverse HTTPS Stager
Run a meterpreter server in Java. Tunnel communication over HTTPS This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include Msf::Payload::Java...
Windows LoadLibrary Path
Load an arbitrary library path This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Executes a command on the target machine module MetasploitModule CachedSize = 202 include Msf::Payload::Windows::LoadLibrary end...
Sun Java Applet2ClassLoader Remote Code Execution
This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A "codebase" parameter that points at a trusted directory 2. A "code" parameter that is a URL that does not contain any...
MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption
This module exploits a memory corruption vulnerability within Microsoft's HTML engine mshtml. When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer t...
Web Site Crawler
Crawl a web site and store information about what was found This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Web Site Crawler', 'Description' = 'Crawl a web site and store information about what...
PHP Remote File Include Generic Code Execution
This module can be used to exploit any generic PHP file include vulnerability, where the application includes code like the following: This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PHP Remote...
Computer Associates License Client GETCONFIG Overflow
This module exploits a vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this...
VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
This module exploits a stack-based buffer overflow in the Win32AddConnection function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are reportedly affected. This vulnerability is only present in Win32 builds of VLC. This payload was found to work with the windows/exec and...
MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption
A heap-based buffer overflow can occur when calling the undocumented "spreplwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine MSDE without the updates supplied in MS09-00...
Zabbix Agent net.tcp.listen Command Injection
This module exploits a metacharacter injection vulnerability in the FreeBSD and Solaris versions of the Zabbix agent. This flaw can only be exploited if the attacker can hijack the IP address of an authorized server as defined in the configuration file. This module requires Metasploit:...
EMC AlphaStor Device Manager Arbitrary Command Execution
EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Authentication Capture: IMAP
This module provides a fake IMAP service that is designed to capture authentication credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Authentication Capture: IMAP', 'Description' = %...
SAP SAPLPD 6.28 Buffer Overflow
This module exploits a stack buffer overflow in SAPlpd 6.28 SAP Release 6.40 . By sending an overly long argument, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework cla...
Trend Micro OfficeScan Client ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the "CgiOnUpdate" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code. This module requires Metasploit:...
SAP DB 7.4 WebTools Buffer Overflow
This module exploits a stack buffer overflow in SAP DB 7.4 WebTools. By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method credit Ramon and Adriano, which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher...
Zen Load Balancer Directory Traversal
This module exploits a authenticated directory traversal vulnerability in Zen Load Balancer v3.10.1. The flaw exists in 'index.cgi' not properly handling 'filelog=' parameter which allows a malicious actor to load arbitrary file path. This module requires Metasploit: https://metasploit.com/downlo...
Plantronics Hub SpokesUpdateService Privilege Escalation
The Plantronics Hub client application for Windows makes use of an automatic update service SpokesUpdateService.exe which automatically executes a file specified in the MajorUpgrade.config configuration file as SYSTEM. The configuration file is writable by all users by default. This module has be...
Password Cracker: AIX
This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from passwd files on AIX systems. These utilize DES hashing. DES is format 1500 in Hashcat. This module requires Metasploit: https://metasploit.com/download Current source:...
CMS Made Simple (CMSMS) Showtime2 File Upload RCE
This module exploits a File Upload vulnerability that lead in a RCE in Showtime2 module "CMS Made Simple CMSMS Showtime2 File Upload RCE", 'Description' = %q This module exploits a File Upload vulnerability that lead in a RCE in Showtime2 module = 3.6.2 in CMS Made Simple CMSMS. An authenticated...
Microsoft Excel .SLK Payload Delivery
This module generates a download and execute Powershell command to be placed in an .SLK Excel spreadsheet. When executed, it will retrieve a payload via HTTP from a web server. When the file is opened, the user will be prompted to "Enable Content." Once this is pressed, the payload will execute...
Emacs movemail Privilege Escalation
This module exploits a SUID installation of the Emacs movemail utility to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local. The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg. This module requires Metasploit: https://metasploit.com/download Current source:...
iOS Image Gatherer
This module collects images from iPhones. Module was tested on iOS 10.3.3 on an iPhone 5. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'iOS Image Gatherer', 'Description' = %q This module...
HID discoveryd command_blink_on Unauthenticated RCE
This module exploits an unauthenticated remote command execution vulnerability in the discoveryd service exposed by HID VertX and Edge door controllers. This module was tested successfully on a HID Edge model EH400 with firmware version 2.3.1.603 Build 04/23/2012. This module requires Metasploit:...
Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 203846 include Msf::Payload::TransportConfig...
Module to Probe Different Data Points in a CAN Packet
Scans between two CAN IDs and writes data at each byte position. It will either write a set byte value Default 0xFF or iterate through all possible values of that byte position takes much longer. Does not check for responses and is basically a simple blind fuzzer. This module requires Metasploit:...
Meteocontrol WEBlog Password Extractor
This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances software version 'Meteocontrol WEBlog Password Extractor', 'Description' = % This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances software version 'URL',...
Phoenix Exploit Kit Remote Code Execution
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java and Adobe Flash...
Windows Gather Avira Password Extraction
This module extracts the weakly hashed password which is used to protect a Avira Antivirus 'Windows Gather Avira Password Extraction', 'Description' = %q This module extracts the weakly hashed password which is used to protect a Avira Antivirus MSFLICENSE, 'Author' = 'Robert Kugler / robertchrk',...
WebNMS Framework Server Credential Disclosure
This module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract all user credentials. The first vulnerability is an unauthenticated file download in the FetchFile servlet, which is used to download the file containing the user credentials. The second vulnerability is that the...
TP-Link SC2020n Authenticated Telnet Injection
The TP-Link SC2020n Network Video Camera is vulnerable to OS Command Injection via the web interface. By firing up the telnet daemon, it is possible to gain root on the device. The vulnerability exists at /cgi-bin/admin/servetest, which is accessible with credentials. This module requires...
Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw...
Android Stock Browser Iframe DOS
This module exploits a vulnerability in the native browser that comes with Android 4.0.3. If successful, the browser will crash after viewing the webpage. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Windows Gather Active Directory Managed Groups
This module will enumerate AD groups on the specified domain which are specifically managed. It cannot at the moment identify whether the 'Manager can update membership list' option option set; if so, it would allow that member to update the contents of that group. This could either be used as a...
phpFileManager 0.9.8 Remote Code Execution
This module exploits a remote code execution vulnerability in phpFileManager 0.9.8 which is a filesystem management tool on a single file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
ManageEngine OpManager Remote Code Execution
This module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which cannot be reset through the user interface. By log-in and abusing the...
PuTTY Saved Sessions Enumeration Module
This module will identify whether Pageant PuTTY Agent is running and obtain saved session information from the registry. PuTTY is very configurable; some users may have configured saved sessions which could include a username, private key file to use when authenticating, host name etc. If a priva...
Adobe Flash Player domainMemory ByteArray Use After Free
This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets...
D-Link Devices HNAP SOAPAction-Header Command Execution
Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected:...
BSD x64 Shell Bind TCP
Bind an arbitrary command to an arbitrary port This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 136 include Msf::Payload::Single include Msf::Payload::Bsd include...
Adobe Flash Player ByteArray With Workers Use After Free
This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, which can fill the memory and notify the main thread to corrupt the new contents. This module has...
TWiki Debugenableplugins Remote Code Execution
TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...
Cisco DLSw Information Disclosure Scanner
This module implements the DLSw information disclosure retrieval. There is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active. This...
F5 iControl Remote Root Command Execution
This module exploits an authenticated remote command execution vulnerability in the F5 BIGIP iControl API and likely other F5 devices. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "F5 iContro...
ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral v7 to v9 build 90054 including the MSP versions. A malicious user can upload a JSP file into the web root without authentication, leading to arbitrary code execution as SYSTEM. Some early builds of version ...
Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow
This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the service BKFSimvhfd.exe when using malicious user-controlled data to create logs using functions like vsprintf and memcpy in an insecure way. This module has been tested successfully on Yokogawa...