6846 matches found
GSM SIM Editor 5.15 Buffer Overflow
This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer overflow occurs which allows an attacker to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current...
Linux Gather Protection Enumeration
This module checks whether popular system hardening mechanisms are in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also tries to find installed applications that can be used to hinder, prevent, or detect attacks, such as tripwire, snort, and apparmor. This module is meant to identif...
Adobe Flash Player MP4 'cprt' Overflow
This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "Iran's Oil and Nuclear...
Windows Manage Download and/or Execute
This module will download a file by importing urlmon via railgun. The user may also choose to execute the file with arguments via execstring. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
SAP Management Console Get Process Parameters
This module simply attempts to output a SAP process parameters and configuration settings through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP...
Windows Gather Enumerate Domain
This module identifies the primary Active Directory domain name and domain controller. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Enumerate Domain', 'Description' = %q This...
Windows Gather IP Range Reverse Lookup
This module uses Railgun, calling the gethostbyaddr function to resolve a hostname to an IP...
MYSQL Password Hashdump
This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MYSQL Password Hashdump'...
Windows Gather WS_FTP Saved Password Extraction
This module extracts weakly encrypted saved FTP Passwords from WSFTP. It finds saved FTP connections in the wsftp.ini file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather WSFTP...
Multi Gather FileZilla FTP Client Credential Collection
This module will collect credentials from the FileZilla FTP client if it is installed. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/document' class MetasploitModule 'Multi Gather FileZilla FTP Client...
Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free
This module exploits a memory corruption vulnerability within Microsoft's HTML engine mshtml. When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the...
Multi Gather Pidgin Instant Messenger Credential Collection
This module will collect credentials from the Pidgin IM client if it is installed. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/document' class MetasploitModule 'Multi Gather Pidgin Instant Messenger...
VeryTools Video Spirit Pro
This module exploits a stack buffer overflow in Video Spirit 'VeryTools Video Spirit Pro', 'Description' = %q This module exploits a stack buffer overflow in Video Spirit MSFLICENSE, 'Author' = 'Acidgen', found the vulnerability 'corelanc0d3r ', rop exploit + msf module , 'References' = 'CVE',...
ContentKeeper Web Appliance mimencode File Access
This module abuses the 'mimencode' binary present within ContentKeeper Web filtering appliances to retrieve arbitrary files outside of the webroot. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModul...
SAP Management Console List Logfiles
This module simply attempts to output a list of available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SA...
SAP Management Console getEnvironment
This module simply attempts to identify SAP Environment settings through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console...
SAP Management Console Extract Users
This module simply attempts to extract SAP users from the ABAP Syslog through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console...
SNMP Windows SMB Share Enumeration
This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SNMP Windows SMB Share Enumeration', 'Description...
DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 Build 6.1.8.10. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
Sun Java Runtime New Plugin docbase Buffer Overflow
This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a "launchjnlp"...
MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the "Operation Aurora" attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the...
HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
Rhinosoft Serv-U Session Cookie Buffer Overflow
This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5. Sending a specially crafted POST request with an overly long session cookie string, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN
This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMSMETADATA.OPEN package/function. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle DB SQL...
System V Derived /bin/login Extraneous Arguments Buffer Overflow
This exploit connects to a system's modem over dialup and exploits a buffer overflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. This module requires Metasploit: https://metasploit.com/download Current source:...
Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application Gateway Whale Client. When sending an overly long string to CheckForUpdates method of WhlMgr.dll 3.1.502.64 an attacker may be able to execute arbitrary code. This module requires Metasploit:...
Microsoft SRV.SYS WriteAndX Invalid DataOffset
This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. This module has been tested successfully against Windows Vista. This module requires Metasploit: https://metasploit.com/download Current source:...
X11 No-Auth Scanner
This module scans for X11 servers that allow anyone to connect without authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'X11 No-Auth Scanner', 'Description' = %q This module scans...
VERITAS NetBackup Remote Command Execution
This module allows arbitrary command execution on an ephemeral port opened by Veritas NetBackup, whilst an administrator is authenticated. The port is opened and allows direct console access as root or SYSTEM from any source address. This module requires Metasploit: https://metasploit.com/downloa...
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szonefree to overwrite the size or free pointer in initialmalloczones structure. This module requires Metasploit: https://metasploit.com/download Current source:...
Veritas Backup Exec Windows Remote File Access
This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted b...
CA BrightStor ARCserve Message Engine Buffer Overflow
This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...
Private Wire Gateway Buffer Overflow
This exploits a buffer overflow in the ADMCREG.EXE used in the PrivateWire Online Registration Facility. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This file may only be distributed as part of the Metasploit...
PuTTY Buffer Overflow
This module exploits a buffer overflow in the PuTTY SSH client that is triggered through a validation error in SSH.c. This vulnerability affects versions 0.53 and earlier. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...
Microsoft IIS ISAPI w3who.dll Query String Overflow
This module exploits a stack buffer overflow in the w3who.dll ISAPI application. This vulnerability was discovered Nicolas Gregoire and this code has been successfully tested against Windows 2000 and Windows XP SP2. When exploiting Windows XP, the payload must call RevertToSelf before it will be...
NIPrint LPD Request Overflow
This module exploits a stack buffer overflow in the Network Instrument NIPrint LPD service. Inspired by Immunity's VisualSploit :- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'NIPrint LPD...
Solaris in.telnetd TTYPROMPT Buffer Overflow
This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris in.telnetd TTYPROMPT...
MS02-018 Microsoft IIS 4.0 .HTR Path Overflow
This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server wi...
Native LDAP Server (Example)
This module provides a Rex based LDAP service to expose the native Rex LDAP server functionality created during log4shell development. Module Options msf use auxiliary/server/ldap msf auxiliaryldap show actions ...actions... msf auxiliaryldap set ACTION msf auxiliaryldap show options ...show and...
Win32k ConsoleControl Offset Confusion
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This...
Shodan Host Port
This module uses the shodan API to return all port information found on a given host IP. Module Options msf use auxiliary/gather/shodanhost msf auxiliaryshodanhost show actions ...actions... msf auxiliaryshodanhost set ACTION msf auxiliaryshodanhost show options ...show and set options... msf...
Citrix ADC (NetScaler) Directory Traversal RCE
This module exploits a directory traversal in Citrix Application Delivery Controller ADC, aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload...
Morris Worm fingerd Stack Buffer Overflow
This module exploits a stack buffer overflow in fingerd on 4.3BSD. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg. Currently, only bsd/vax/shellreversetcp is supported. This module requires Metasploit:...
HTTP SickRage Password Leak
SickRage 'HTTP SickRage Password Leak', 'Description' = %q SickRage 'Sven Fassbender', EDB POC 'Shelby Pace' Metasploit Module , 'License' = MSFLICENSE, 'References' = 'CVE', '2018-9160', 'EDB', '44545' , 'DisclosureDate' = '2018-03-08' registeroptions OptString.new'TARGETURI', true, 'Optional pa...
John the Ripper Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired as hashed files loot or raw LANMAN/NTLM hashes hashdump. The goal of this module is to find trivial passwords in a short amount of time. To crack complex passwords or use large wordlists, John the Ripper should be...
Nagios XI Chained Remote Code Execution
This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys. 3. The...
Windows Meterpreter Shell, Bind Named Pipe Inline
Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 177734 include Msf::Payload::TransportConfig...
Open WAN-to-LAN proxy on AT&T routers
The Arris NVG589 and NVG599 routers configured with AT U-verse firmware 9.2.2h0d83 expose an un-authenticated proxy that allows connecting from WAN to LAN by MAC address. !/usr/bin/env python3 from metasploit import module, probescanner metadata = 'name': 'Open WAN-to-LAN proxy on AT&T routers',...
Unix Command Shell, Reverse TCP (stub)
Creates an interactive shell through an inbound connection stub only, no payload This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include...