6847 matches found
Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include 'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun', 'Description' = %q This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include MSFLICENSE, 'Author'...
Generic Emailer (SMTP)
This module can be used to automate email delivery. This code is based on Joshua Abraham's email script for social engineering. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'yaml' class MetasploitModule...
Foxit Reader Authorization Bypass
This module exploits an authorization bypass vulnerability in Foxit Reader build 1120. When an attacker creates a specially crafted pdf file containing an Open/Execute action, arbitrary commands can be executed without confirmation from the victim. This module requires Metasploit:...
Adobe Collab.getIcon() Buffer Overflow
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include 'Adobe Collab.getIcon Buffer Overflow', 'Description' = %q This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include MSFLICENSE, 'Author' = 'MC', 'Didier...
Adobe util.printf() Buffer Overflow
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 'Adobe util.printf Buffer Overflow', 'Description' = %q This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional MSFLICENSE, 'Author' = 'MC', 'Didier Stevens ' , 'References' = 'CVE'...
VERITAS NetBackup Remote Command Execution
This module allows arbitrary command execution on an ephemeral port opened by Veritas NetBackup, whilst an administrator is authenticated. The port is opened and allows direct console access as root or SYSTEM from any source address. This module requires Metasploit: https://metasploit.com/downloa...
Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow
This module exploits a stack buffer overflow in Mercury/32 'Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in Mercury/32 'mu-b', Discovery and exploit 'MC', Metasploit module 'Ivan Racic' Automatic targeting + egg hunter , 'License...
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szonefree to overwrite the size or free pointer in initialmalloczones structure. This module requires Metasploit: https://metasploit.com/download Current source:...
Veritas Backup Exec Windows Remote File Access
This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted b...
Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution
This module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This module generates a random WMF record stream for each request. This module requires...
MS01-033 Microsoft IIS 5.0 IDQ Path Overflow
This module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow',...
Solaris in.telnetd TTYPROMPT Buffer Overflow
This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris in.telnetd TTYPROMPT...
War-FTPD 1.65 Username Overflow
This module exploits a buffer overflow found in the USER command of War-FTPD 1.65. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'War-FTPD 1.65 Username Overflow', 'Description' = %q This modu...
Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE loader will execute the pre-mapped PE image starting from the address of entry after performing image base relocation and API address resolution. This module requires a PE file that contains...
Cisco 7937G SSH Privilege Escalation
This module exploits a feature that should not be available via the web interface. An unauthenticated user may change the credentials for SSH access to any username and password combination desired, giving access to administrative functions through an SSH connection. Module Options msf use...
ATutor 2.2.4 - Directory Traversal / Remote Code Execution,
This module exploits an arbitrary file upload vulnerability together with a directory traversal flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in order to execute arbitrary commands. It first creates a zip archive containing a malicious PHP file. The zip archive takes advantage of a directory...
OpenMRS Java Deserialization RCE
OpenMRS is an open-source platform that supplies users with a customizable medical record system. There exists an object deserialization vulnerability in the webservices.rest module used in OpenMRS Platform. Unauthenticated remote code execution can be achieved by sending a malicious XML payload ...
FreeSWITCH Event Socket Command Execution
This module uses the FreeSWITCH event socket interface to execute system commands using the system API command. The event socket service is enabled by default and listens on TCP port 8021 on the local network interface. This module has been tested successfully on FreeSWITCH versions:...
Ajenti auth username Command Injection
This module exploits a command injection in Ajenti == 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Test SSH Github Access
This module will attempt to test remote Git access using .ssh/id private keys. This works against GitHub and GitLab by default, but can easily be extended to support more server types. This module requires Metasploit: https://metasploit.com/download Current source:...
Metasploit HTTP(S) handler DoS
This module exploits the Metasploit HTTPS handler by sending a specially crafted HTTP request that gets added as a resource handler. Resources which come from the external connections are evaluated as RegEx in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS. Test...
Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload
This module exploits an authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute the upload credentials are needed, default on Ahsay Backup trial accounts are enabled so an account can be created. It can be exploited in Windows and Linux...
Ubiquiti Discovery Scanner
Detects Ubiquiti devices using a UDP discovery service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ubiquiti Discovery Scanner', 'Description' = 'Detects Ubiquiti devices using a UDP discove...
Mac OS X libxpc MITM Privilege Escalation
This module exploits a vulnerablity in libxpc on macOS 'Mac OS X libxpc MITM Privilege Escalation', 'Description' = %q This module exploits a vulnerablity in libxpc on macOS = 10.13.3 The tasksetspecialport API allows callers to overwrite their bootstrap port, which is used to communicate with...
iOS Text Gatherer
This module collects text messages from iPhones. Tested on iOS 10.3.3 on an iPhone 5. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'iOS Text Gatherer', 'Description' = %q This module collects...
WebExec Authenticated User Code Execution
This module uses a valid username and password of any level or password hash to execute an arbitrary payload. This module is similar to the "psexec" module, except allows any non-guest account by default. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Persistent Service Installer
This Module will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required. This module requires Metasploit:...
Netgear Devices Unauthenticated Remote Command Execution
From the CVE-2016-1555 page: 1 boardData102.php, 2 boardData103.php, 3 boardDataJP.php, 4 boardDataNA.php, and 5 boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands. Th...
Open a file or URL on the target computer
This module will open any file or URL specified with the URI format on the target computer via the embedded commands such as 'open' or 'xdg-open'. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
HTTP Client LAN IP Address Gather
This module retrieves a browser's network interface IP addresses using WebRTC. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Client LAN IP Address Gather', 'Description' = %q This module...
Etcd Version Scanner
This module connections to etcd API endpoints, typically on 2379/TCP, and attempts to obtain the version of etcd. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Etcd Version Scanner',...
Atlassian Jira Authenticated Upload Code Execution
This module can be used to execute a payload on Atlassian Jira via the Universal Plugin ManagerUPM. The module requires valid login credentials to an account that has access to the plugin manager. The payload is uploaded as a JAR archive containing a servlet using a POST request against the UPM...
ABRT raceabrt Privilege Escalation
This module attempts to gain root privileges on Linux systems with a vulnerable version of Automatic Bug Reporting Tool ABRT configured as the crash handler. A race condition allows local users to change ownership of arbitrary files CVE-2015-3315. This module uses a symlink attack on...
HPE iMC dbman RestartDB Unauthenticated RCE
This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restart a user-specified database instance OpCode 10008, however the instance ID is not...
Linksys WVBR0-25 User-Agent Command Execution
The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie cable boxes to the Genie DVR, is vulnerable to OS command injection in version 'Linksys WVBR0-25 User-Agent Command Execution', 'Description' = %q The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to...
Mako Server v2.5, 2.6 OS Command Injection RCE
This module exploits a vulnerability found in Mako Server v2.5, 2.6. It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp. Th...
Cisco IOS Telnet Denial of Service
This module triggers a Denial of Service condition in the Cisco IOS telnet service affecting multiple Cisco switches. Tested against Cisco Catalyst 2960 and 3750. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Gnome-Keyring Dump
Use libgnome-keyring to extract network passwords for the current user. This module does not require root privileges to run. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'bindata' class MetasploitModule...
Launches Hosts in AWS
This module will attempt to launch an AWS instances hosts in EC2. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/aws/client' class MetasploitModule "Launches Hosts in AWS", 'Description'...
Kerberos Domain User Enumeration
This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes the different responses returned by the service for valid and invalid users. This module can also detect accounts that are vulnerable to ASREPRoast attacks. This module requires Metasploit:...
PhoenixContact PLC Remote START/STOP Command
PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. And also to read out the CPU...
OWA Exchange Web Services (EWS) Login Scanner
This module attempts to log in to the Exchange Web Services, often exposed at https://example.com/ews/, using NTLM authentication. This method is faster and simpler than traditional form-based logins. In most cases, all you need to set is RHOSTS and some combination of user/pass files; the...
Wordpress XML-RPC system.multicall Credential Collector
This module attempts to find Wordpress credentials by abusing the XMLRPC APIs. Wordpress versions prior to 4.4.1 are suitable for this type of technique. For newer versions, the script will drop the CHUNKSIZE to 1 automatically. This module requires Metasploit: https://metasploit.com/download...
Windows Meterpreter Shell, Reverse TCP Inline
Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 177734 include Msf::Payload::TransportConf...
Simple Backdoor Shell Remote Code Execution
This module exploits unauthenticated simple web backdoor shells by leveraging the common backdoor shell's vulnerable parameter to execute commands. The SecLists project of Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells which is categorized under Payloads...
Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation
In Apple OS X 10.10.4 and prior, the DYLDPRINTTOFILE environment variable is used for redirecting logging data to a file instead of stderr. Due to a design error, this feature can be abused by a local attacker to write arbitrary files as root via restricted, SUID-root binaries. This module requir...
Apple OS X Entitlements Rootpipe Privilege Escalation
This module exploits the rootpipe vulnerability and bypasses Apple's initial fix for the issue by injecting code into a process with the 'admin.writeconfig' entitlement. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Airties login-cgi Buffer Overflow
This module exploits a remote buffer overflow vulnerability on several Airties routers. The vulnerability exists in the handling of HTTP queries to the login cgi with long redirect parameters. The vulnerability doesn't require authentication. This module has been tested successfully on the...
Windows Command Shell, Hidden Bind Ipknock TCP Stager
Spawn a piped command shell staged. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appear as...
MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed. The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute o...