6846 matches found
HTTP SickRage Password Leak
SickRage 'HTTP SickRage Password Leak', 'Description' = %q SickRage 'Sven Fassbender', EDB POC 'Shelby Pace' Metasploit Module , 'License' = MSFLICENSE, 'References' = 'CVE', '2018-9160', 'EDB', '44545' , 'DisclosureDate' = '2018-03-08' registeroptions OptString.new'TARGETURI', true, 'Optional pa...
John the Ripper Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired as hashed files loot or raw LANMAN/NTLM hashes hashdump. The goal of this module is to find trivial passwords in a short amount of time. To crack complex passwords or use large wordlists, John the Ripper should be...
Nagios XI Chained Remote Code Execution
This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys. 3. The...
Windows Meterpreter Shell, Bind Named Pipe Inline
Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 177734 include Msf::Payload::TransportConfig...
Open WAN-to-LAN proxy on AT&T routers
The Arris NVG589 and NVG599 routers configured with AT U-verse firmware 9.2.2h0d83 expose an un-authenticated proxy that allows connecting from WAN to LAN by MAC address. !/usr/bin/env python3 from metasploit import module, probescanner metadata = 'name': 'Open WAN-to-LAN proxy on AT&T routers',...
Unix Command Shell, Reverse TCP (stub)
Creates an interactive shell through an inbound connection stub only, no payload This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include...
Samsung Internet Browser SOP Bypass
This module takes advantage of a Same-Origin Policy SOP bypass vulnerability in the Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up. Thi...
Mako Server v2.5, 2.6 OS Command Injection RCE
This module exploits a vulnerability found in Mako Server v2.5, 2.6. It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp. Th...
HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution
This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are also most likely vulneable if the non-default SSL option is turned off. By sending a specially crafted packet, an attack...
Sample Module to Flood Temp Gauge on 2006 Malibu
Simple sample temp flood for the 2006 Malibu This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Sample Module to Flood Temp Gauge on 2006 Malibu', 'Description' = %q Simple sample temp flood for t...
Hardware Bridge Session Connector
The Hardware Bridge HWBridge is a standardized method for Metasploit to interact with Hardware Devices. This extends the normal exploit capabilities to the non-ethernet realm and enables direct hardware and alternative bus manipulations. You must have compatible bridging hardware attached to this...
Gather AWS EC2 Instance Metadata
This module will attempt to connect to the AWS EC2 instance metadata service and crawl and collect all metadata known about the session'd host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
MYSQL Directory Write Test
Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more information see the URL in the references. Note: For every writable directory found, a file with the specified FILENAME containing the text test will be written to the directory. This module requires Metasploit...
Cron Persistence
This module will create a cron or crontab entry to execute a payload. The module includes the ability to automatically clean up those entries to prevent multiple executions. syslog will get a copy of the cron entry. This module requires Metasploit: https://metasploit.com/download Current source:...
Apache Struts Dynamic Method Invocation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 except 2.3.20.2 and 2.3.24.2. Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled. This module requires Metasploit:...
Simple Backdoor Shell Remote Code Execution
This module exploits unauthenticated simple web backdoor shells by leveraging the common backdoor shell's vulnerable parameter to execute commands. The SecLists project of Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells which is categorized under Payloads...
Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over HTTP Windows x64 wininet This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
WordPress W3 Total Cache PHP Code Execution
This module exploits a PHP Code Injection vulnerability against WordPress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PH...
OpenNMS Authenticated XXE
OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface. Although this attack requires authentication, there are several factors that increase the severity of this vulnerability. 1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty...
Publish-It PUI Buffer Overflow (SEH)
This module exploits a stack based buffer overflow in Publish-It when processing a specially crafted .PUI file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of Publish-It to open a malicious .PUI file. This module...
WordPress Platform Theme File Upload Vulnerability
The WordPress Theme "platform" contains a remote code execution vulnerability through an unchecked admininit call. The theme includes the uploaded file from its temp filename with php's include function. This module requires Metasploit: https://metasploit.com/download Current source:...
McAfee ePolicy Orchestrator Authenticated XXE Credentials Exposure
This module will exploit an authenticated XXE vulnerability to read the keystore.properties off of the filesystem. This properties file contains an encrypted password that is set during installation. What is interesting about this password is that it is set as the same password as the database 's...
Windows Gather Outlook Email Messages
This module allows reading and searching email messages from the local Outlook installation using PowerShell. Please note that this module is manipulating the victims keyboard/mouse. If a victim is active on the target system, he may notice the activities of this module. Tested on Windows 8.1 x64...
ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure
ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that allow an unauthenticated user to obtain the superuser password of any managed Windows and AS/400 hosts. This module abuses both vulnerabilities to collect all the available usernames and passwords. First th...
Wireshark CAPWAP Dissector DoS
This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a packet correctly when an incorrect length is given. This module requires Metasploit:...
Vtiger Install Unauthenticated Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the Vtiger install script. This module is set to ManualRanking due to this module overwriting the target database configuration, which may result in a broken web app, and you may not be able to get a session again. This module...
Reflective DLL Injection, Reverse HTTP Stager Proxy
Inject a DLL via a reflective loader. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 665 include Msf::Payload::Stager include Msf::Payload::Windows...
Firefox Exec Shellcode from Privileged Javascript Shell
This module allows execution of native payloads from a privileged Firefox Javascript shell. It places the specified payload into memory, adds the necessary protection flags, and calls it, which can be useful for upgrading a Firefox javascript shell to a Meterpreter session without touching the...
Windows Gather Active Directory Service Principal Names
This module will enumerate servicePrincipalName in the default AD directory where the user is a member of the Domain Admins group. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather...
Windows Manage Driver Loader
This module loads a KMD Kernel Mode Driver using the Windows Service API. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SERVICEDEMANDSTART', 'boot' = 'SERVICEBOOTSTART', 'auto' =...
OSX Network Share Mounter
This module lists saved network shares and tries to connect to them using stored credentials. This does not require root privileges. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OSX Network...
D-Link User-Agent Backdoor Scanner
This module attempts to find D-Link devices running Alphanetworks web interfaces affected by the backdoor found on the User-Agent header. This module has been tested successfully on a DIR-100 device with firmware version v1.13. This module requires Metasploit: https://metasploit.com/download...
HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload
This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary files, just having into account binary writes aren't allowed. Additionally, authentication can be bypassed in order to uploa...
Firefox XMLSerializer Use After Free
This module exploits a vulnerability found on Firefox 17.0 'Firefox XMLSerializer Use After Free', 'Description' = %q This module exploits a vulnerability found on Firefox 17.0 MSFLICENSE, 'Author' = 'regenrecht', Vulnerability Discovery, Analysis and PoC 'juan vazquez' Metasploit module ,...
Oracle Endeca Server Remote Command Execution
This module exploits a command injection vulnerability on the Oracle Endeca Server 7.4.0. The vulnerability exists on the createDataStore method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. In addition, t...
MoinMoin twikidraw Action Traversal File Upload
This module exploits a vulnerability in MoinMoin 1.9.5. The vulnerability exists on the manage of the twikidraw actions, where a traversal path can be used in order to upload arbitrary files. Exploitation is achieved on Apached/modwsgi configurations by overwriting moin.wsgi, which allows to...
MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. The exploit has been built and tested specifically against Windows 7 SP1 with Internet Explorer 8. It uses eith...
HP Intelligent Management FaultDownloadServlet Directory Traversal
This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the FaultDownloadServlet, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over...
Unix Command Shell, Bind TCP (via netcat -e) IPv6
Listen for a connection and spawn a command shell via netcat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 25 include Msf::Payload::Single include...
Viscosity setuid-set ViscosityHelper Privilege Escalation
This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The vulnerability exists in the setuid ViscosityHelper, where an insufficient validation of path names allows execution of arbitrary python code as root. This module has been tested successfully on Viscosity 1.4.1 over Mac OS X...
BigAnt Server DUPF Command Arbitrary File Upload
This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7. A lack of authentication allows to make unauthenticated file uploads through a DUPF command. Additionally the filename option in the same command can be used to launch a directory traversal attack and achieve arbitrar...
Windows Gather BulletProof FTP Client Saved Password Extraction
This module extracts information from BulletProof FTP Bookmarks files and store retrieved credentials in the database. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather BulletProof...
Digi RealPort Serial Server Port Scanner
Identify active ports on RealPort-enabled serial servers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Digi RealPort Serial Server Port Scanner', 'Description' = 'Identify active ports on...
OS X x64 Shell Reverse TCP
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 128 include Msf::Payload::Single include Msf::Payload::Osx include...
Zabbix Server Arbitrary Command Execution
This module abuses the "Command" trap in Zabbix Server to execute arbitrary commands without authentication. By default the Node ID "0" is used, if it doesn't work, the Node ID is leaked from the error message and exploitation retried. According to the vendor versions prior to 1.6.9 are vulnerabl...
TestLink v1.9.3 Arbitrary File Upload Vulnerability
This module exploits a vulnerability in TestLink version 1.9.3 or prior. This application has an upload feature that allows any authenticated user to upload arbitrary files to the '/uploadarea/nodeshierarchy/' directory with a randomized file name. The file name can be retrieved from the database...
OS X Gather Keychain Enumeration
This module presents a way to quickly go through the current user's keychains and collect data such as email accounts, servers, and other services. Please note: when using the GETPASS and GETPASSAUTOACCEPT option, the user may see an authentication alert flash briefly on their screen that gets...
Multi Escalate Metasploit pcap_log Local Privilege Escalation
Metasploit 'Multi Escalate Metasploit pcaplog Local Privilege Escalation', 'Description' = %q Metasploit 4.4 contains a vulnerable 'pcaplog' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these filename...
Avoid underscore/tolower
Underscore/tolower Safe Encoder used to exploit CVE-2012-2329. It is a modified version of the 'Avoid UTF8/tolower' encoder by skape. Please check the documentation of the skape encoder before using it. As the original, this encoder expects ECX pointing to the start of the encoded payload. Also...
OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
This module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on Microsoft Windows XP SP3. By supplying a OLE file with a malformed DocumentSummaryInformation stream, an attacker can gain control of the execution flow, which results arbitrary code execution under the context of the user. Thi...