Openfiler v2.x NetworkCard Command Execution

This module exploits a vulnerability in Openfiler v2.x which could be abused to allow authenticated users to execute arbitrary code under the context of the 'openfiler' user. The 'system.html' file uses user controlled data from the 'device' parameter to create a new 'NetworkCard' object. The cla...

WAN Emulator v2.3 Command Execution

This module exploits a command execution vulnerability in WAN Emulator version 2.3 which can be abused to allow unauthenticated users to execute arbitrary commands under the context of the 'www-data' user. The 'result.php' script calls shellexec with user controlled data from the 'pc' parameter...

Sflog! CMS 1.0 Arbitrary File Upload Vulnerability

This module exploits multiple design flaws in Sflog 1.0. By default, the CMS has a default admin credential of "admin:secret", which can be abused to access administrative features such as blogs management. Through the management interface, we can upload a backdoor that's accessible by any remote...

ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow

This module exploits a vulnerability in ActiveFax Server. The vulnerability is a stack based buffer overflow in the "Import Users from File" function, due to the insecure usage of strcpy while parsing the csv formatted file. The module creates a .exp file that must be imported with ActiveFax...

HP SiteScope Remote Code Execution

This module exploits a code execution flaw in HP SiteScope. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the create operation, available through the APIPreferenceImpl AXIS service, to create a new account with empty credentials and, subsequently, uses...

Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability

This module exploits a default misconfiguration flaw on Symantec Messaging Gateway. The 'support' user has a known default password, which can be used to login to the SSH service, and gain privileged access from remote. This module requires Metasploit: https://metasploit.com/download Current...

Windows Manage Remote Packet Capture Service Starter

This module enables the Remote Packet Capture System rpcapd service included in the default installation of Winpcap. The module allows you to set up the service in passive or active mode useful if the client is behind a firewall. If authentication is enabled you need a local user account to captu...

HP SiteScope SOAP Call loadFileContent Remote File Access

This module exploits an authentication bypass vulnerability in HP SiteScope to retrieve an arbitrary text file from the remote server. It is accomplished by calling the loadFileContent operation available through the APIMonitorImpl AXIS service. This module has been successfully tested on HP...

HP SiteScope SOAP Call getSiteScopeConfiguration Configuration Access

This module exploits an authentication bypass vulnerability in HP SiteScope which allows to retrieve the HP SiteScope configuration, including administrative credentials. It is accomplished by calling the getSiteScopeConfiguration operation available through the APISiteScopeImpl AXIS service. The...

HP SiteScope SOAP Call getFileInternal Remote File Access

This module exploits an authentication bypass vulnerability in HP SiteScope to retrieve an arbitrary file from the remote server. It is accomplished by calling the getFileInternal operation available through the APISiteScopeImpl AXIS service. This module has been successfully tested on HP SiteSco...

Microsoft SQL Server Find and Sample Data

This script will search through all of the non-default databases on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS option. If column names are found that match the defined keywords and data is present in the associated tables, the script will select a sample of th...

Windows Manage Local Microsoft SQL Server Authorization Bypass

When this module is executed, it can be used to add a sysadmin to local SQL Server instances. It first attempts to gain LocalSystem privileges using the "getsystem" escalation methods. If those privileges are not sufficient to add a sysadmin, then it will migrate to the SQL Server service process...

MobileCartly 1.0 Arbitrary File Creation Vulnerability

This module exploits a vulnerability in MobileCartly. The savepage.php file does not do any permission checks before using fileputcontents, which allows any user to have direct control of that function to create files under the 'pages' directory by default, or anywhere else as long as the user ha...

JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)

This module can be used to execute a payload on JBoss servers that have an exposed HTTPAdaptor's JMX Invoker exposed on the "JMXInvokerServlet". By invoking the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed to finally upload the selected payload to the target. The...

SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow

This module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher service. The overflow occurs in the DiagTraceR3Info function and allows a remote attacker to execute arbitrary code by supplying a special crafted Diag packet. The Dispatcher service is only vulnerable if the Developer...

SAP NetWeaver HostControl Command Injection

This module exploits a command injection vulnerability in the SAPHostControl Service, by sending a specially crafted SOAP request to the management console. In order to deal with the spaces and length limitations, a WebDAV service is created to run an arbitrary payload when accessed as a UNC path...

Java 7 Applet Remote Code Execution

The exploit takes advantage of two issues in JDK 7: The ClassFinder and MethodFinder.findMethod. Both were newly introduced in JDK 7. ClassFinder is a replacement for classForName back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which...

Generic HTTP Directory Traversal Utility

This module allows you to test if a web server or web application is vulnerable to directory traversal with three different actions. The 'CHECK' action default is used to automatically or manually find if directory traversal exists in the web server, and then return the path that triggers the...

Zabbix Server Arbitrary Command Execution

This module abuses the "Command" trap in Zabbix Server to execute arbitrary commands without authentication. By default the Node ID "0" is used, if it doesn't work, the Node ID is leaked from the error message and exploitation retried. According to the vendor versions prior to 1.6.9 are vulnerabl...

XODA 0.4.5 Arbitrary PHP File Upload Vulnerability

This module exploits a file upload vulnerability found in XODA 0.4.5. Attackers can abuse the "upload" command in order to upload a malicious PHP file without any authentication, which results in arbitrary code execution. The module has been tested successfully on XODA 0.4.5 and Ubuntu 10.04. Thi...

E-Mail Security Virtual Appliance learn-msg.cgi Command Injection

This module exploits a command injection vulnerability found in E-Mail Security Virtual Appliance. This module abuses the learn-msg.cgi file to execute arbitrary OS commands without authentication. This module has been successfully tested on the ESVA2057 appliance. This module requires Metasploit...

HTTP Client Basic Authentication Credential Collector

This module responds to all requests for resources with a HTTP 401. This should cause most browsers to prompt for a credential. If the user enters Basic Auth creds they are sent to the console. This may be helpful in some phishing expeditions where it is possible to embed a resource into a page...

Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a specially crafted .otf font file with a large nTables value in the 'kern' header, it is possible to trigger an integer overflow, which results in remote code execution und...

PostgreSQL for Linux Payload Execution

On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the...

GlobalSCAPE CuteZIP Stack Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in version 2.1 of CuteZIP. In order for the command to be executed, an attacker must convince the target user to open a specially crafted zip file with CuteZIP. By doing so, an attacker can execute arbitrary code as the target user...

Windows Service Trusted Path Privilege Escalation

This module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths:...

TestLink v1.9.3 Arbitrary File Upload Vulnerability

This module exploits a vulnerability in TestLink version 1.9.3 or prior. This application has an upload feature that allows any authenticated user to upload arbitrary files to the '/uploadarea/nodeshierarchy/' directory with a randomized file name. The file name can be retrieved from the database...

Cyclope Employee Surveillance Solution v6 SQL Injection

This module exploits a SQL injection found in Cyclope Employee Surveillance Solution. Because the login script does not properly handle the user-supplied username parameter, a malicious user can manipulate the SQL query, and allows arbitrary code execution under the context of 'SYSTEM'. This modu...

Novell ZENworks Asset Management Remote Execution

This module exploits a path traversal flaw in Novell ZENworks Asset Management 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file outside of the MalibuUploadDirectory and then make a secondary request that allows for arbitrary code execution. This module requires...

NetDecision 4.2 TFTP Writable Directory Traversal Execution

This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The software contains a directory traversal vulnerability that allows a remote attacker to write arbitrary file to the file system, which results in code execution under the context of user executing the TFTP Server. This...

NetDecision 4.2 TFTP Directory Traversal

This modules exploits a directory traversal vulnerability in NetDecision 4.2 TFTP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "NetDecision 4.2 TFTP Directory Traversal", 'Descriptio...

OS X Gather Keychain Enumeration

This module presents a way to quickly go through the current user's keychains and collect data such as email accounts, servers, and other services. Please note: when using the GETPASS and GETPASSAUTOACCEPT option, the user may see an authentication alert flash briefly on their screen that gets...

PHP IRC Bot pbot eval() Remote Code Execution

This module allows remote command execution on the PHP IRC bot pbot by abusing the usage of eval in the implementation of the .php command. In order to work, the data to connect to the IRC server and channel where find pbot must be provided. The module has been successfully tested on the version ...

Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass

This will add an administrative account to Scrutinizer NetFlow and sFlow Analyzer without any authentication. Versions such as 9.0.1 or older are affected. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential

This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer. By default, the software installs a default password in MySQL, and binds the service to "0.0.0.0". This allows any remote user to login to MySQL, and then gain arbitrary remote code execution under the context of...

WebPageTest Directory Traversal

This module exploits a directory traversal vulnerability found in WebPageTest. Due to the way the gettext.php script handles the 'file' parameter, it is possible to read a file outside the www directory. This module requires Metasploit: https://metasploit.com/download Current source:...

Multi Escalate Metasploit pcap_log Local Privilege Escalation

Metasploit 'Multi Escalate Metasploit pcaplog Local Privilege Escalation', 'Description' = %q Metasploit 4.4 contains a vulnerable 'pcaplog' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these filename...

Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow

This module exploits a vulnerability found in the AutoVue.ocx ActiveX control. The vulnerability, due to the insecure usage of an strcpy like function in the SetMarkupMode method, when handling a specially crafted sMarkup argument, allows to trigger a stack based buffer overflow which leads to co...

SMB Directory Listing Utility

This module lists the directory of a target share and path. The only reason to use this module is if your existing SMB client is not able to support the features of the Metasploit Framework that you need, like pass-the-hash authentication. This module requires Metasploit:...

Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection

This module exploits a vulnerability found in Dell SonicWall Scrutinizer. While handling the 'q' parameter, the PHP application does not properly filter the user-supplied data, which can be manipulated to inject SQL commands, and then gain remote code execution. Please note that authentication is...

John the Ripper AIX Password Cracker

This module uses John the Ripper to identify weak passwords that have been acquired from passwd files on AIX systems...

Cisco Linksys PlayerPT ActiveX Control SetSource sURL Argument Buffer Overflow

This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, when handling a specially crafted sU...

Zenoss 3 showDaemonXMLConfig Command Execution

This module exploits a command execution vulnerability in Zenoss 3.x which could be abused to allow authenticated users to execute arbitrary code under the context of the 'zenoss' user. The showdaemonxmlconfigs function in the 'ZenossInfo.py' script calls Popen with user controlled data from the...

MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow

This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code. This module requires Metasploit: https://metasploit.com/download Current source...

WebPageTest Arbitrary PHP File Upload

This module exploits a vulnerability found in WebPageTest's Upload Feature. By default, the resultimage.php file does not verify the user-supplied item before saving it to disk, and then places this item in the web directory accessible by remote users. This flaw can be abused to gain remote code...

Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution

The uplay ActiveX component allows an attacker to execute any command line action. User must sign in, unless auto-sign in is enabled and uplay must not already be running. Due to the way the malicious executable is served WebDAV, the module must be run on port 80, so please make sure you have...

MS10-104 Microsoft Office SharePoint Server 2007 Remote Code Execution

This module exploits a vulnerability found in SharePoint Server 2007 SP2. The software contains a directory traversal, that allows a remote attacker to write arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile request to the Office Document Conversions Launcher Service...

Unix Command Shell, Reverse TCP (via Python)

Connect back and create a command shell via Python This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Payload::Python include...

Sysax Multi Server 5.64 Create Folder Buffer Overflow

This module exploits a stack buffer overflow in the create folder function in Sysax Multi Server 5.64. This issue was fixed in 5.66. In order to trigger the vulnerability valid credentials with the create folder permission must be provided. The HTTP option must be enabled on Sysax too. This modul...

CuteFlow v2.11.2 Arbitrary File Upload Vulnerability

This module exploits a vulnerability in CuteFlow version 2.11.2 or prior. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the 'upload/1/' directory and then execute it. This module requires Metasploit: https://metasploit.com/download Current...