6845 matches found
Network Associates PGP KeyServer 7 LDAP Buffer Overflow
This module exploits a stack buffer overflow in the LDAP service that is part of the NAI PGP Enterprise product suite. This module was tested against PGP KeyServer v7.0. Due to space restrictions, egghunter is used to find our payload - therefore you may wish to adjust WfsDelay. This module...
32bit FTP Client Stack Buffer Overflow
This module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to download a file that has an overly long filename. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule '32bi...
Linux Execute Command
Execute an arbitrary command This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Exec ---- Executes an arbitrary command. module MetasploitModule CachedSize = 29 include Msf::Payload::Single include...
Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows prior to the August 2010 Patch Tuesday. To trigger this bug, you must be able to access a share with at least read privileges. That generally means you will need authentication. However, if a...
Microsoft Windows Shell LNK Code Execution
This module exploits a vulnerability in the handling of Windows Shortcut files .LNK that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path. This module requires Metasploit:...
Outlook ATTACH_BY_REF_RESOLVE File Execution
It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double...
Nginx Source Code Disclosure/Download
This module exploits a source code disclosure/download vulnerability in versions 0.7 and 0.8 of the nginx web server. Versions 0.7.66 and 0.8.40 correct this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...
Samba trans2open Overflow (*BSD x86)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. This module requires Metasploit: https://metasploit.com/download Current source:...
Eureka Email 2.2q ERR Remote Buffer Overflow
This module exploits a buffer overflow in the Eureka Email 2.2q client that is triggered through an excessively long ERR message. NOTE: this exploit isn't very reliable. Unfortunately reaching the vulnerable code can only be done when manually checking mail Ctrl-M. Checking at startup will not...
Microsoft Windows EOT Font Table Directory Integer Overflow
This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer. This module requires...
Omni-NFS Server Buffer Overflow
This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2 When sending a specially crafted nfs packet, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution
This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule HttpClients::IE, In badly...
Nagios3 statuswml.cgi Ping Command Execution
This module abuses a metacharacter injection vulnerability in the Nagios3 statuswml.cgi script. This flaw is triggered when shell metacharacters are present in the parameters to the ping and traceroute commands. This module requires Metasploit: https://metasploit.com/download Current source:...
MDaemon WorldClient form2raw.cgi Stack Buffer Overflow
This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for versions 6.8.5 and earlier. When WorldClient HTTP server is installed default, a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe, by writing the CGI output to the Raw Queue. When...
Adobe Collab.collectEmailInfo() Buffer Overflow
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1. By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo call, an attacker may be able to execute arbitrary code. This module requires Metasploit:...
Mac OS X mDNSResponder UPnP Location Overflow
This module exploits a buffer overflow that occurs when processing specially crafted requests set to mDNSResponder. All Mac OS X systems between version 10.4 and 10.4.9 without the 2007-005 patch are affected. This module requires Metasploit: https://metasploit.com/download Current source:...
Ruby WEBrick::HTTP::DefaultFileHandler DoS
The WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7 to 1.8.7-p71, and 1.9 to r18423 allows for a DoS CPU consumption via a crafted HTTP request. This module requires Metasploit: https://metasploit.com/download Current source:...
Generic PHP Code Evaluation
Exploits things like It is likely that HTTP evasion options will break this exploit. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Generic PHP Code Evaluation', 'Description' = %q Exploits...
McAfee ePolicy Orchestrator / ProtectionPilot Overflow
This is an exploit for the McAfee HTTP Server NAISERV.exe. McAfee ePolicy Orchestrator 2.5.1 'McAfee ePolicy Orchestrator / ProtectionPilot Overflow', 'Description' = %q This is an exploit for the McAfee HTTP Server NAISERV.exe. McAfee ePolicy Orchestrator 2.5.1 'muts ', 'xbxiceatyahoo.com', 'hdm...
CA iTechnology iGateway Debug Mode Buffer Overflow
This module exploits a vulnerability in the Computer Associates iTechnology iGateway component. When True is enabled in igateway.conf non-default, it is possible to overwrite the stack and execute code remotely. This module works best with Ordinal payloads. This module requires Metasploit:...
Solaris sadmind Command Execution
This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9 This module requires Metasploit:...
Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow
This module exploits a stack buffer overflow in the NetWare CIFS.NLM driver. Since the driver runs in the kernel space, a failed exploit attempt can cause the OS to reboot. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows RSH Daemon Buffer Overflow
This module exploits a vulnerability in Windows RSH daemon 1.8. The vulnerability is due to a failure to check for the length of input sent to the RSH server. A CPORT of 512 - 1023 must be configured for the exploit to be successful. This module requires Metasploit: https://metasploit.com/downloa...
Apple QuickTime 7.1.3 RTSP URI Buffer Overflow
This module exploits a buffer overflow in Apple QuickTime 7.1.3. This module was inspired by MOAB-01-01-2007. The Browser target for this module was tested against IE 6 and Firefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the QuickTime plugin. This module requires Metasploit:...
CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download...
MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
Unix Command, Generic Command Execution
Executes the supplied command This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 8 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo =...
Unix Command, Interact with Established Connection
Interacts with a shell on an established socket connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions...
Solaris Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 144 include Msf::Payload::Single include Msf::Payload::Solaris include...
Windows shellcode stage, Hidden Bind TCP Stager
Custom shellcode stage. Listen for a connection from a hidden port and spawn a command shell to the allowed host. Module Options msf use payload/windows/custom/bindhiddentcp msf payloadbindhiddentcp show actions ...actions... msf payloadbindhiddentcp set ACTION msf payloadbindhiddentcp show optio...
Windows Hyper-V VM Enumeration
This module will check if the target machine is a Hyper-V host and, if it is, will return a list of all of the VMs running on the host, as well as stats such as their state, version, CPU Usage, uptime, and status. Module Options msf use post/windows/gather/enumhypervvms msf postenumhypervvms show...
Cisco AnyConnect Priv Esc through Path Traversal
The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The attack consists in sending a specially crafted IPC reques...
Agent Tesla Panel Remote Code Execution
This module exploits a command injection vulnerability within the Agent Tesla control panel, in combination with an SQL injection vulnerability and a PHP object injection vulnerability, to gain remote code execution on affected hosts. Panel versions released prior to Sepetember 12, 2018 can be...
Centreon Poller Authenticated Remote Command Execution
An authenticated user with sufficient administrative rights to manage pollers can use this functionality to execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules to perform certain actions, by the scheduler for data processing, etc. This modul...
GTP Echo Scanner
This module sends UDP GTP GTP-U echo requests to the target RHOSTS and reports on which ones respond, thus identifying General Packet Radio Service GPRS servers. This module does not support scanning with SCTP. This module requires Metasploit: https://metasploit.com/download Current source:...
Imperva SecureSphere PWS Command Injection
This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent...
iOS Text Gatherer
This module collects text messages from iPhones. Tested on iOS 10.3.3 on an iPhone 5. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'iOS Text Gatherer', 'Description' = %q This module collects...
Netgear DGN1000 Setup.cgi Unauthenticated RCE
This module exploits an unauthenticated OS command execution vulneralbility in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and DGN2000v1 models. This module requires Metasploit: https://metasploit.com/download Current source:...
MediaWiki SyntaxHighlight extension option injection vulnerability
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create & execute a PHP file in the document root. The USERNAME & PASSWORD options are only needed if the Wiki is configured as private. This vulnerability affects any MediaWiki...
DNS Record Scanner and Enumerator
This module can be used to gather information about a domain from a given DNS server by performing various DNS queries such as zone transfers, reverse lookups, SRV record brute forcing, and other techniques. This module requires Metasploit: https://metasploit.com/download Current source:...
BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure
This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.' This module requires...
Simple Backdoor Shell Remote Code Execution
This module exploits unauthenticated simple web backdoor shells by leveraging the common backdoor shell's vulnerable parameter to execute commands. The SecLists project of Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells which is categorized under Payloads...
Adobe Flash Player ShaderJob Buffer Overflow
This module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after...
BSD x64 Command Shell, Bind TCP Inline
Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 88 include Msf::Payload::Single include Msf::Payload::Bsd include...
WordPress CP Multi-View Calendar Unauthenticated SQL Injection Scanner
This module will scan given instances for an unauthenticated SQL injection within the CP Multi-View Calendar plugin v1.1.4 for Wordpress. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'uri' class...
Python Meterpreter, Python Reverse HTTPS Stager
Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP using SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...
Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
Inject the meterpreter server DLL staged. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize =...
Easy File Management Web Server Stack Buffer Overflow
Easy File Management Web Server v4.0 and v5.3 contains a stack buffer overflow condition that is triggered as user-supplied input is not properly validated when handling the UserID cookie. This may allow a remote attacker to execute arbitrary code. This module requires Metasploit:...
OpenSSL DTLS Fragment Buffer Overflow DoS
This module performs a Denial of Service Attack against Datagram TLS in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h. This occurs when a DTLS ClientHello message has multiple fragments and the fragment lengths of later fragments are larger than that of the first, a buffer...
Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution
This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment vulnerability that allows an unprivileged authenticated user to change the administrator's password hash, the...