6849 matches found
BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure
This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.' This module requires...
MS15-100 Microsoft Windows Media Center MCL Vulnerability
This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the .mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current source:...
Adobe Flash Player ShaderJob Buffer Overflow
This module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after...
BSD x64 Command Shell, Bind TCP Inline
Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 88 include Msf::Payload::Single include Msf::Payload::Bsd include...
Group Policy Script Execution From Shared Resource
This is a general-purpose module for exploiting systems with Windows Group Policy configured to load VBS startup/logon scripts from remote locations. This module runs a SMB shared resource that will provide a payload through a VBS file. Startup scripts will be executed with SYSTEM privileges, whi...
Python Meterpreter, Python Reverse HTTPS Stager
Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP using SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...
Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
Inject the meterpreter server DLL staged. Listen for a connection from a hidden port and spawn a command shell to the allowed host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize =...
Tuleap PHP Unserialize Code Execution
This module exploits a PHP object injection vulnerability in Tuleap 'Tuleap PHP Unserialize Code Execution', 'Description' = %q This module exploits a PHP object injection vulnerability in Tuleap = 7.6-4 which could be abused to allow authenticated users to execute arbitrary code with the...
Easy File Management Web Server Stack Buffer Overflow
Easy File Management Web Server v4.0 and v5.3 contains a stack buffer overflow condition that is triggered as user-supplied input is not properly validated when handling the UserID cookie. This may allow a remote attacker to execute arbitrary code. This module requires Metasploit:...
OpenSSL DTLS Fragment Buffer Overflow DoS
This module performs a Denial of Service Attack against Datagram TLS in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h. This occurs when a DTLS ClientHello message has multiple fragments and the fragment lengths of later fragments are larger than that of the first, a buffer...
Firefox Gather Cookies from Privileged Javascript Shell
This module allows collection of cookies from a Firefox Privileged Javascript Shell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'json' class MetasploitModule 'Firefox Gather Cookies from Privileged...
Quantum DXi V1000 SSH Private Key Exposure
Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that allows passwordless authentication to any other DXi box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. This module requires Metasploit:...
Linux Command Shell, Reverse TCP Stager
Spawn a command shell staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 272 include Msf::Payload::Stager def initializeinfo = supermergeinfoinfo,...
ABB MicroSCADA wserver.exe Remote Code Execution
This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe component, which allows arbitrary commands. The component is disabled by default, but required when a project uses the SCI...
Unix Command Shell, Reverse TCP (via nodejs)
Continually listen for a connection and spawn a command shell via nodejs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 3231 include Msf::Payload::Single include...
OSX Password Prompt Spoof
Presents a password prompt dialog to a logged-in OSX user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OSX Password Prompt Spoof', 'Description' = %q Presents a password prompt dialog to a...
SAP Management Console OSExecute Payload Execution
This module executes an arbitrary payload through the SAP Management Console SOAP Interface. A valid username and password for the SAP Management Console must be provided. This module has been tested successfully on both Windows and Linux platforms running SAP Netweaver. In order to exploit a Lin...
Auxilliary Parser Windows Unattend Passwords
This module parses Unattend files in the target directory. See also: post/windows/gather/enumunattend This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Auxilliary Parser Windows Unattend...
Java Applet Reflection Type Confusion Remote Code Execution
This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially craft...
STUNSHELL Web Shell Remote PHP Code Execution
This module exploits unauthenticated versions of the "STUNSHELL" web shell. This module works when safe mode is enabled on the web server. This shell is widely used in automated RFI payloads. This module requires Metasploit: https://metasploit.com/download Current source:...
Java Applet JAX-WS Remote Code Execution
This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier. This module requires Metasploit: https://metasploit.com/download Current source:...
SAP SOAP RFC SXPG_COMMAND_EXECUTE
This module makes use of the SXPGCOMMANDEXECUTE Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured in the SM69 transaction. This module requires Metasploit: https://metasploit.com/download Current source:...
Apache ActiveMQ Directory Traversal
This module exploits a directory traversal vulnerability in Apache ActiveMQ 5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's ResourceHandler installed with the affected versions. This module has been tested successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2...
PhpTax pfilez Parameter Exec Remote Code Injection
This module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng function in drawimage.php does not properly handle the pfilez parameter, which will be used in an exec statement, and then results in arbitrary remote code execution under...
HTTP Client Automatic Exploiter
This module has three actions. The first and the default is 'WebServer' which uses a combination of client-side and server-side techniques to fingerprint HTTP clients and then automatically exploit them. Next is 'DefangedDetection' which does only the fingerprinting part. Lastly, 'list' simply...
OS X x64 say Shellcode
Say an arbitrary string outloud using Mac OS X text2speech This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 53 include Msf::Payload::Single def initializeinfo = supermergeinfoinfo,...
Apple iOS MobileSafari LibTIFF Buffer Overflow
This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload. This module requires Metasploit: https://metasploit.com/download...
MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow
This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code. This module requires Metasploit: https://metasploit.com/download Current source...
DB2 Authentication Brute Force Utility
This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework requi...
VMWare ESX/ESXi Fingerprint Scanner
This module accesses the web API interfaces for VMware ESX/ESXi servers and attempts to identify version information for that server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VMWare...
Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow
This module exploits a stack based buffer overflow found in Free MP3 CD Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious WAV file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Windows Manage Hosts File Injection
This module allows the attacker to insert a new entry into the target system's hosts file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'English' class MetasploitModule 'Windows Manage Hosts File Injection'...
SAP Management Console Get Access Points
This module simply attempts to output a list of SAP access points through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console Get...
Windows Gather Forensic Imaging
This module will perform byte-for-byte imaging of remote disks and volumes This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Forensic byte-for-byte imaging of remote disks and volumes R. Wesley McGrew...
BNAT Scanner
This module is a scanner which can detect Broken NAT network address translation implementations, which could result in an inability to reach ports on remote machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'. This module requires Metasploit:...
Java Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 7497 include Msf::Payload::Single include Msf::Payload::Java include...
Windows Gather CoreFTP Saved Password Extraction
This module extracts saved passwords from the CoreFTP FTP client. These passwords are stored in the registry. They are encrypted with AES-128-ECB. This module extracts and decrypts these passwords. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Gather Internet Download Manager (IDM) Password Extractor
This module recovers the saved premium download account passwords from Internet Download Manager IDM. These passwords are stored in an encoded format in the registry. This module traverses through these registry entries and decodes them. Thanks to the template code of theLightCosine's CoreFTP...
Solaris Gather Configured Services
Post module to enumerate services on a Solaris System This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris Gather Configured Services', 'Description' = %q Post module to enumerate services o...
VLC AMV Dangling Pointer Vulnerability
This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st byte in the file format video width/height, VLC crashes due to an invalid pointer, which allows remote attackers to gain arbitrary code execution. The vulnerable packages include: VLC 1.1.4, VLC 1.1.5, VLC...
Adobe Flash Player AVM Bytecode Verification Vulnerability
This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JITJust-In-Time code being executed. This is the same vulnerability that was used for the RSA attack ...
SAP Management Console ABAP Syslog Disclosure
This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console ABAP Syslog...
Windows Gather PowerShell Environment Setting Enumeration
This module will enumerate Microsoft PowerShell settings. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather PowerShell Environment Setting Enumeration', 'Description' = %q This...
SNMP Windows Username Enumeration
This module will use LanManager/psProcessUsername OID values to enumerate local user accounts on a Windows/Solaris system via SNMP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SNMP Windows...
CakePHP Cache Corruption Code Execution
CakePHP is a popular PHP framework for building web applications. The Security component of CakePHP versions 1.3.5 and earlier and 1.2.8 and earlier is vulnerable to an unserialize attack which could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of th...
D-Link i2eye Video Conference AutoAnswer (WDBRPC)
This module can be used to enable auto-answer mode for the D-Link i2eye video conferencing system. Once this setting has been flipped, the device will accept incoming video calls without acknowledgement. The NetMeeting software included in Windows XP can be used to connect to this device. The i2e...
HTTP WebDAV Internal IP Scanner
Detect webservers internal IPs though WebDAV This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP WebDAV Internal IP Scanner', 'Description' = 'Detect webservers internal IPs though WebDAV',...
BigAnt Server 2.52 USV Buffer Overflow
This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.52. NOTE: The AntServer service does not restart, you only get one shot. This module requires Metasploit:...
Sun Java JRE AWT setDiffICM Buffer Overflow
This module exploits a flaw in the setDiffICM function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.223 and...
Adobe Doc.media.newPlayer Use After Free Vulnerability
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' class MetasploitModul...