ManageEngine Desktop Central StatusUpdate Arbitrary File Upload

This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral v7 to v9 build 90054 including the MSP versions. A malicious user can upload a JSP file into the web root without authentication, leading to arbitrary code execution as SYSTEM. Some early builds of version ...

Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow

This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the service BKFSimvhfd.exe when using malicious user-controlled data to create logs using functions like vsprintf and memcpy in an insecure way. This module has been tested successfully on Yokogawa...

Windows Gather Active Directory User Comments

This module will enumerate user accounts in the default Active Domain AD directory which contain 'pass' in their description or comment case-insensitive by default. In some cases, such users have their passwords specified in these fields. This module requires Metasploit:...

VICIdial Manager Send OS Command Injection

The file agc/managersend.php in the VICIdial web application uses unsanitized user input as part of a command that is executed using the PHP passthru function. A valid username, password and session are needed to access the injection point. Fortunately, VICIdial has two built-in accounts with...

Command Shell, Reverse TCP (via nodejs)

Creates an interactive shell via nodejs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework It would be better to have a commonjs payload, but because the implementations differ so greatly when it comes to require paths f...

HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow

This module exploits a buffer overflow vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage of the sscanf function when parsing login requests. This module has been tested successfully on the HP VSA 9 Virtual Appliance. This...

Python Meterpreter, Python Reverse TCP Stager

Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stage...

Canon Wireless Printer Denial Of Service

The HTTP management interface on several models of Canon Wireless printers allows for a Denial of Service DoS condition via a crafted HTTP request. Note: if this module is successful, the device can only be recovered with a physical power cycle. This module requires Metasploit:...

Monkey HTTPD Header Parsing Denial of Service (DoS)

This module causes improper header parsing that leads to a segmentation fault due to a specially crafted HTTP request. Affects version 'Monkey HTTPD Header Parsing Denial of Service DoS', 'Description' = %q This module causes improper header parsing that leads to a segmentation fault due to a...

Mutiny 5 Arbitrary File Read and Delete

This module exploits the EditDocument servlet from the frontend on the Mutiny 5 appliance. The EditDocument servlet provides file operations, such as copy and delete, which are affected by a directory traversal vulnerability. Because of this, any authenticated frontend user can read and delete...

SAP SOAP EPS_DELETE_FILE File Deletion

This module abuses the SAP NetWeaver EPSDELETEFILE function, on the SAP SOAP RFC Service, to delete arbitrary files on the remote file system. The module can also be used to capture SMB hashes by using a fake SMB share as DIRNAME. This module requires Metasploit: https://metasploit.com/download...

Multi Gather GnuPG Credentials Collection

This module will collect the contents of all users' .gnupg directories on the targeted machine. Password protected secret keyrings can be cracked with John the Ripper JtR. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...

Windows Gather Apache Tomcat Enumeration

This module will collect information from a Windows-based Apache Tomcat. You will get information such as: The installation path, Tomcat version, port, web applications, users, passwords, roles, etc. This module requires Metasploit: https://metasploit.com/download Current source:...

Apple iOS MobileMail LibTIFF Buffer Overflow

This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload. This module requires Metasploit: https://metasploit.com/download...

CuteFlow v2.11.2 Arbitrary File Upload Vulnerability

This module exploits a vulnerability in CuteFlow version 2.11.2 or prior. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the 'upload/1/' directory and then execute it. This module requires Metasploit: https://metasploit.com/download Current...

Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability

This module exploits a file upload vulnerability found in Symantec Web Gateway's HTTP service. Due to the incorrect use of file extensions in the uploadfile function, attackers may to abuse the spywall/blockedfile.php file in order to upload a malicious PHP file without any authentication, which...

Tom Sawyer Software GET Extension Factory Remote Code Execution

This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware...

HP StorageWorks P4000 Virtual SAN Appliance Command Execution

This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 9.5. By using a default account credential, it is possible to inject arbitrary commands as part of a ping request via port 13838. This module requires Metasploit: https://metasploit.com/download Current...

Distinct TFTP 3.10 Writable Directory Traversal Execution

This module exploits a directory traversal vulnerability in the TFTP Server component of Distinct Intranet Servers version 3.10 which allows a remote attacker to write arbitrary files to the server file system, resulting in code execution under the context of 'SYSTEM'. This module has been tested...

OS X Gather Airport Wireless Preferences

This module will download OS X Airport Wireless preferences from the victim machine. The preferences file which is a plist contains information such as: SSID, Channels, Security Type, Password ID, etc. This module requires Metasploit: https://metasploit.com/download Current source:...

FreeBSD Telnet Service Encryption Key ID Buffer Overflow

This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service. -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FreeBSD Telnet Servic...

Windows Gather RazorSQL Credentials

This module stores username, password, type, host, port, database and name collected from profiles.txt of RazorSQL. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'openssl' class MetasploitModule 'Windows...

phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection

This module exploits an arbitrary PHP code execution flaw in the phpScheduleIt software. This vulnerability is only exploitable when the magicquotesgpc PHP option is 'off'. Authentication is not required to exploit the bug. Version 1.2.10 and earlier of phpScheduleIt are affected. This module...

HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution

This module allows remote attackers to place arbitrary files on a users file system by abusing via Directory Traversal attack the "saveXML" method from the "XMLSimpleAccessor" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control HPTicketMgr.dll 2.7.2.0. Code execution can be achieved by...

Windows Manage Run Command As User

This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default, by setting CMDOUT to true output will be redirected to a temp file and read back in to display. By setting advanced option SETPASS to true, it will...

Custom Payload

Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include...

Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS

This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll as distributed with Windows Vista and later without KB2509553. By sending a specially crafted LLMNR query, containing a leading '.' character, an attacker can trigger stack exhaustion or potentially cause stack memory...

HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow a stack buffer and execute arbitrary code. The vulnerable code is within the OvWwwDebug function. The static-sized stack...

Linux Add User

Create a new user with UID 0 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework AddUser ------- Adds a UID 0 user to /etc/passwd. module MetasploitModule CachedSize = 119 include Msf::Payload::Single include...

Citrix Access Gateway Command Execution

The Citrix Access Gateway provides support for multiple authentication types. When utilizing the external legacy NTLM authentication module known as ntlmauthenticator the Access Gateway spawns the Samba 'samedit' command line utility to verify a user's identity and password. By embedding shell...

EnjoySAP SAP GUI ActiveX Control Arbitrary File Download

This module allows remote attackers to place arbitrary files on a users file system by abusing the "CompDownload" method in the SAP KWEdit ActiveX Control kwedit.dll 6400.1.1.41. This module requires Metasploit: https://metasploit.com/download Current source:...

AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow

This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This module was tested successfully against master.exe as included with Real Network'...

MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner

This module is based on et's HTTP Directory Scanner module, with one exception. Where authentication is required, it attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS...

Audiotran 1.4.1 (PLS File) Stack Buffer Overflow

This module exploits a stack-based buffer overflow in Audiotran 1.4.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extension is registered to Audiotran...

MySQL yaSSL SSL Hello Message Buffer Overflow

This module exploits a stack buffer overflow in the yaSSL 1.7.5 and earlier implementation bundled with MySQL 'MySQL yaSSL SSL Hello Message Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in the yaSSL 1.7.5 and earlier implementation bundled with MySQL 'MC' ,...

Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE

This module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...

DD-WRT HTTP Daemon Arbitrary Command Execution

This module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. This module requires Metasploit: https://metasploit.com/download Curre...

TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access

This module tests for directory traversal vulnerability in the UpdateAgent function in the OfficeScanNT Listener TmListen.exe service in Trend Micro OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM via dot dot sequences in an HTTP request. This module requires Metasploit...

PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)

This module exploits an integer overflow vulnerability in the unserialize function of the PHP web server extension. This vulnerability was patched by Stefan in version 4.5.0 and applies all previous versions supporting this function. This particular module targets numerous web applications and is...

Anonymous FTP Access Detection

Detect anonymous read/write FTP server access. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Anonymous FTP Access Detection', 'Description' = 'Detect anonymous read/write FTP server access.',...

WinComLPD Buffer Overflow

This module exploits a stack buffer overflow in WinComLPD 'WinComLPD Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in WinComLPD 'MC', 'License' = MSFLICENSE, 'References' = 'CVE', '2008-5159', 'OSVDB', '42861', 'BID', '27614', , 'DefaultOptions' = 'EXITFUNC' =...

Apple QuickTime 7.3 RTSP Response Header Buffer Overflow

This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long RTSP response to a client, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Savant 3.1 Web Server Overflow

This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads for a default install. Each exploit attempt generally causes a thread to die whether successful or not. Therefore, in a default configuration, you only have 10 chances. Due to the...

PSO Proxy v0.91 Stack Buffer Overflow

This module exploits a buffer overflow in the PSO Proxy v0.91 web server. If a client sends an excessively long string the stack is overwritten. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Novell NetMail IMAP STATUS Buffer Overflow

This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP STATUS verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. This module requires Metasploit: https://metasploit.com/download Current source:...

Novell eDirectory NDS Server Host Header Overflow

This module exploits a stack buffer overflow in Novell eDirectory 8.8.1. The web interface does not validate the length of the HTTP Host header prior to using the value of that header in an HTTP redirect. This module requires Metasploit: https://metasploit.com/download Current source:...

HP-UX LPD Command Execution

This exploit abuses an unpublished vulnerability in the HP-UX LPD service. This flaw allows an unauthenticated attacker to execute arbitrary commands with the privileges of the root user. The LPD service is only exploitable when the address of the attacking system can be resolved by the target...

Linux Add User

Create a new user with UID 0 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework AddUser ------- Adds a UID 0 user to /etc/passwd. module MetasploitModule CachedSize = 97 include Msf::Payload::Single include...

Jump/Call XOR Additive Feedback Encoder

Jump/Call XOR Additive Feedback This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Jump/Call XOR Additive Feedback Encoder', 'Description' = 'Jump/Call XOR Additive Feedback', 'Author' = 'skape',...

Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager

Custom shellcode stage. Connect back to the attacker via a named pipe pivot Module Options msf use payload/windows/custom/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set ACTION msf payloadreversenamedpipe show options ...show and set...