Java Applet JAX-WS Remote Code Execution

This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier. This module requires Metasploit: https://metasploit.com/download Current source:...

Invision IP.Board unserialize() PHP Code Execution

This module exploits a php unserialize vulnerability in Invision IP.Board 'Invision IP.Board unserialize PHP Code Execution', 'Description' = %q This module exploits a php unserialize vulnerability in Invision IP.Board = 3.3.4 which could be abused to allow unauthenticated users to execute...

Oracle Database Client System Analyzer Arbitrary File Upload

This module exploits an arbitrary file upload vulnerability on the Client Analyzer component as included in Oracle Database 11g, which allows remote attackers to upload and execute arbitrary code. This module has been tested successfully on Oracle Database 11g 11.2.0.1.0 on Windows 2003 SP2, wher...

SAP Web GUI Login Brute Forcer

This module attempts to brute force SAP username and passwords through the SAP Web GUI service. Default clients can be tested without needing to set a CLIENT. Common and default user/password combinations can be tested just setting the DEFAULTCRED variable to true. The...

SAP /sap/bc/soap/rfc SOAP Service SUSR_RFC_USER_INTERFACE Function User Creation

This module makes use of the SUSRRFCUSERINTERFACE function, through the SOAP /sap/bc/soap/rfc service, for creating/modifying users on a SAP. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on,...

SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering

This module makes use of the RFCSYSTEMINFO Function to obtain the operating system version, SAP version, IP address and other information through the use of the /sap/bc/soap/rfc SOAP service. This module requires Metasploit: https://metasploit.com/download Current source:...

SAP SOAP RFC SXPG_COMMAND_EXECUTE

This module makes use of the SXPGCOMMANDEXECUTE Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured in the SM69 transaction. This module requires Metasploit: https://metasploit.com/download Current source:...

SAP /sap/bc/soap/rfc SOAP Service RFC_READ_TABLE Function Dump Data

This module makes use of the RFCREADTABLE Function to read data from tables using the /sap/bc/soap/rfc SOAP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on, inspired by, or is a port o...

SIP Deregister Extension

This module will attempt to deregister a SIP user from the provider. It has been tested successfully when the sip provider/server doesn't use REGISTER authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

SAP /sap/bc/soap/rfc SOAP Service RFC_PING Function Service Discovery

This module makes use of the RFCPING function, through the /sap/bc/soap/rfc SOAP service, to test connectivity to remote RFC destinations. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on,...

SAP /sap/bc/soap/rfc SOAP Service BAPI_USER_CREATE1 Function User Creation

This module makes use of the BAPIUSERCREATE1 function, through the SOAP /sap/bc/soap/rfc service, for creating/modifying users on a SAP. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on, inspire...

SAPRouter Admin Request

Display the remote connection table from a SAPRouter. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on, inspired by, or is a port of a plugin available in the Onapsis Bizploit Opensource ERP...

SAP SOAP Service RFC_PING Login Brute Forcer

This module attempts to brute force SAP username and passwords through the /sap/bc/soap/rfc SOAP service, using RFCPING function. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on, inspired by, o...

Windows Gather Service Info Enumeration

This module will query the system for services and display name and configuration info for each returned service. It allows you to optionally search the credentials, path, or start type for a string and only return the results that match. These query operations are cumulative and if no query...

Windows Gather Local Admin Search

This module will identify systems in a given range that the supplied domain user should migrate into a user pid has administrative access to by using the Windows API OpenSCManagerA to establishing a handle to the remote host. Additionally it can enumerate logged in users and group membership via...

Digi RealPort Serial Server Version

Detect serial servers that speak the RealPort protocol. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Digi RealPort Serial Server Version', 'Description' = 'Detect serial servers that speak t...

Digi RealPort Serial Server Port Scanner

Identify active ports on RealPort-enabled serial servers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Digi RealPort Serial Server Port Scanner', 'Description' = 'Identify active ports on...

EMC Networker Format String

This module exploits a format string vulnerability in the lgsprintf function as implemented in liblocal.dll on EMC Networker products. This module exploits the vulnerability by using a specially crafted RPC call to the program number 0x5F3DD, version 0x02, and procedure 0x06. This module has been...

Concrete5 Member List Enumeration

This module extracts username information from the Concrete5 member page This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Concrete5 Member List Enumeration', 'Description' = %q This module...

Bitweaver overlay_type Directory Traversal

This module exploits a directory traversal vulnerability found in Bitweaver. When handling the 'overlaytype' parameter, viewoverlay.php fails to do any path checking/filtering, which can be abused to read any file outside the virtual directory. This module requires Metasploit:...

Microsoft SQL Server Database Link Crawling Command Execution

This module can be used to crawl MS SQL Server database links and deploy Metasploit payloads through links configured with sysadmin privileges using a valid SQL Server Login. If you are attempting to obtain multiple reverse shells using this module we recommend setting the "DisablePayloadHandler"...

HP Intelligent Management Center UAM Buffer Overflow

This module exploits a remote buffer overflow in HP Intelligent Management Center UAM. The vulnerability exists in the uam.exe component, when using sprint in a insecure way for logging purposes. The vulnerability can be triggered by sending a malformed packet to the 1811/UDP port. The module has...

WinRM WQL Query Runner

This module runs WQL queries against remote WinRM Services. Authentication is required. Currently only works with NTLM auth. Please note in order to use this module, the 'AllowUnencrypted' winrm option must be set. This module requires Metasploit: https://metasploit.com/download Current source:...

Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow

This module exploits a vulnerability found in Aladdin Knowledge System's ActiveX component. By supplying a long string of data to the ChooseFilePath function, a buffer overflow occurs, which may result in remote code execution under the context of the user. This module requires Metasploit:...

ManageEngine DeviceExpert 5.6 ScheduleResultViewer FileName Traversal

This module exploits a directory traversal vulnerability found in ManageEngine DeviceExpert's ScheduleResultViewer Servlet. This is done by using "..\..\..\..\..\..\..\..\..\.." in the path in order to retrieve a file on a vulnerable machine. Please note that the SSL option is required in...

ManageEngine SecurityManager Plus 5.5 Directory Traversal

This module exploits a directory traversal flaw found in ManageEngine SecurityManager Plus 5.5 or less. When handling a file download request, the DownloadServlet class fails to properly check the 'f' parameter, which can be abused to read any file outside the virtual directory. This module...

ClanSphere 2011.3 Local File Inclusion Vulnerability

This module exploits a directory traversal flaw found in Clansphere 2011.3. The application fails to handle the cslang parameter properly, which can be used to read any file outside the virtual directory. This module requires Metasploit: https://metasploit.com/download Current source:...

Digi ADDP Remote Reboot Initiator

Reboot Digi International based equipment through the ADDP service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Digi ADDP Remote Reboot Initiator', 'Description' = 'Reboot Digi International...

Digi ADDP Information Discovery

Discover host information through the Digi International ADDP service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Digi ADDP Information Discovery', 'Description' = 'Discover host informatio...

Linux Command Shell, Bind TCP Inline

Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 232 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...

Modbus Unit ID and Station ID Enumerator

Modbus is a cleartext protocol used in common SCADA systems, developed originally as a serial-line RS232 async protocol, and later transformed to IP, which is called ModbusTCP. default tcp port is 502. This module sends a command 0x04, read input register to the modbus endpoint. If this command i...

HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow

This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program component coda.exe when parsing requests for the 0x34 opcode. This module has been tested successfully on HP Operations Agent 11.00 over...

HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow

This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program component coda.exe when parsing requests for the 0x8c opcode. This module has been tested successfully on HP Operations Agent 11.00 over...

Multi Gather pgpass Credentials

This module will collect the contents of all users' .pgpass or pgpass.conf file and parse them for credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather pgpass Credentials',...

SugarCRM unserialize() PHP Code Execution

This module exploits a php unserialize vulnerability in SugarCRM 'SugarCRM unserialize PHP Code Execution', 'Description' = %q This module exploits a php unserialize vulnerability in SugarCRM = 6.3.1 which could be abused to allow authenticated SugarCRM users to execute arbitrary code with the...

ManageEngine Security Manager Plus 5.5 Build 5505 SQL Injection

This module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page, which results in remote code execution under the context of SYSTEM in Windows; or as the user in Linux. Authentication is not required in order to exploit this vulnerability. This module require...

MS08-067 Microsoft Server Service Relative Path Stack Corruption

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service along with a dozen others in the same...

JBoss Java Class DeploymentFileRepository WAR Deployment

This module uses the DeploymentFileRepository class in JBoss Application Server jbossas to deploy a JSP file which then deploys the WAR file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Turbo FTP Server 1.30.823 PORT Overflow

This module exploits a buffer overflow vulnerability found in the PORT command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote code execution under the context of SYSTEM. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Manage Proxy Setting Cloner

This module copies the proxy settings from the current user to the targeted user SID, supports remote hosts as well if remote registry is allowed. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Windows Gather Proxy Setting

This module pulls a user's proxy settings. If neither RHOST or SID are set it pulls the current user, else it will pull the user's settings for the specified SID and target host. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Recon Resolve IP

This module reverse resolves a range or IP to a hostname شما به این سطح از خدمات دسترسی ندارید - شکن meta name="twitter:label1" content="زمان تقریبی ب...

WinRM Authentication Method Detection

This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service. If it is a WinRM service, it also gathers the Authentication Methods supported. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework cla...

NTP Clock Variables Disclosure

This module reads the system internal NTP variables. These variables contain potentially sensitive information, such as the NTP software version, operating system version, peers, and more. This module requires Metasploit: https://metasploit.com/download Current source:...

Microsoft SQL Server SQLi NTLM Stealer

This module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the SQL injection from GETPATH to connect to the target SQL Server instance and execute the native "xpdirtree" or stored procedure. The stored...

Microsoft SQL Server NTLM Stealer

This module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the supplied credentials to connect to the target SQL Server instance and execute the native "xpdirtree" or "xpfileexist" stored procedure. The stored...

Novell ZENworks Asset Management 7.5 Remote File Access

This module exploits a hardcoded user and password for the GetFile maintenance task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to...

Novell ZENworks Asset Management 7.5 Configuration Access

This module exploits a hardcoded user and password for the GetConfig maintenance task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to...

Apache ActiveMQ JSP Files Source Disclosure

This module exploits a source code disclosure in Apache ActiveMQ. The vulnerability is due to the Jetty's ResourceHandler handling of specially crafted URI's starting with //. It has been tested successfully on Apache ActiveMQ 5.3.1 over Windows 2003 SP2 and Ubuntu 10.04. This module requires...

Apache ActiveMQ Directory Traversal

This module exploits a directory traversal vulnerability in Apache ActiveMQ 5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's ResourceHandler installed with the affected versions. This module has been tested successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2...