Symantec Web Gateway 5.0.2.18 pbcontrol.php Command Injection

This module exploits a command injection vulnerability found in Symantec Web Gateway's HTTP service. While handling the filename parameter, the Spywall API does not do any filtering before passing it to an exec call in proxyfile, thus results in remote code execution under the context of the web...

Cisco Linksys PlayerPT ActiveX Control Buffer Overflow

This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, allows to trigger a stack based buff...

Photodex ProShow Producer 5.0.3256 load File Handling Buffer Overflow

This module exploits a stack-based buffer overflow in Photodex ProShow Producer v5.0.3256 in the handling of the plugins load list file. An attacker must send the crafted "load" file to victim, who must store it in the installation directory. The vulnerability will be triggered the next time...

SAP Management Console GetProcessList

This module attempts to list SAP processes through the SAP Management Console SOAP Interface This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console GetProcessList', 'Description...

HTTP Client MS Credential Relayer

This module relays negotiated NTLM Credentials from an HTTP server to multiple protocols. Currently, this module supports relaying to SMB and HTTP. Complicated custom attacks requiring multiple requests that depend on each other can be written using the SYNC options. For example, a CSRF-style...

EGallery PHP File Upload Vulnerability

This module exploits a vulnerability found in EGallery 1.2 By abusing the uploadify.php file, a malicious user can upload a file to the egallery/ directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on Ubuntu 10.04. This module...

Simple Web Server Connection Header Buffer Overflow

This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user can send a long string data in the Connection Header to causes an overflow on the stack when function vsprintf is used, and gain arbitrary code execution. The module has been tested successfully on Windows 7 SP1 and...

Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow

This module exploits a remote buffer overflow in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x6c PROXYCMDGETNEXTSTEP to port 998/TCP. The module has been successfully tested on...

Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow

This module exploits a remote buffer overflow in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x4c PROXYCMDPREBOOTTASKINFO2 to port 998/TCP. The module has been successfully tested...

Authentication Capture: SIP

This module provides a fake SIP service that is designed to capture authentication credentials. It captures challenge and response pairs that can be supplied to Cain or JtR for cracking. This module requires Metasploit: https://metasploit.com/download Current source:...

Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow

This module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x06 PROXYCMDCLEARWS to the 998/TCP port. The module has been successfully test...

Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow

This module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x21 PROXYCMDFTPFILE to port 998/TCP. The module has been successfully tested o...

Microsoft SQL Server Generic Query from File

This module will allow for multiple SQL queries contained within a specified file to be executed against a Microsoft SQL MSSQL Server instance, given the appropriate credentials. This module requires Metasploit: https://metasploit.com/download Current source:...

Authentication Capture: MySQL

This module provides a fake MySQL service that is designed to capture authentication credentials. It captures challenge and response pairs that can be supplied to Cain or JtR for cracking. This module requires Metasploit: https://metasploit.com/download Current source:...

ALLMediaServer 0.8 Buffer Overflow

This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't reliable across virtual VMWare, VirtualBox and physical...

Sielco Sistemi Winlog Remote File Access

This module exploits a directory traversal in Sielco Sistemi Winlog. The vulnerability exists in the Runtime.exe service and can be triggered by sending a specially crafted packet to the 46824/TCP port. This module has been successfully tested on Sielco Sistemi Winlog Lite 2.07.14. This module...

Authentication Capture: VNC

This module provides a fake VNC service that is designed to capture authentication credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Authentication Capture: VNC', 'Description' = %q...

Authentication Capture: MSSQL

This module provides a fake MSSQL service that is designed to capture authentication credentials. The modules supports both the weak encoded database logins as well as Windows logins NTLM. This module requires Metasploit: https://metasploit.com/download Current source:...

Authentication Capture: DRDA (DB2, Informix, Derby)

This module provides a fake DRDA DB2, Informix, Derby server that is designed to capture authentication credentials. -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

JBoss JMX Console Deployer Upload and Execute

This module can be used to execute a payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload...

Hastymail 2.1.1 RC1 Command Injection

This module exploits a command injection vulnerability found in Hastymail 2.1.1 RC1 due to the insecure usage of the calluserfuncarray function on the "lib/ajaxfunctions.php" script. Authentication is required on Hastymail in order to exploit the vulnerability. The module has been successfully...

Java Applet Field Bytecode Verifier Cache Remote Code Execution

This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operation...

AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution

This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run arbitrary commands on the victim machine. This module has been successfully tested with the ActiveX installed with...

Novell ZENworks Configuration Management Preboot Service Remote File Access

This module exploits a directory traversal in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted PROXYCMDFTPFILE opcode 0x21 packet to the 998/TCP port. This module has been successfully tested on Novell...

Umbraco CMS Remote Command Execution

This module can be used to execute a payload on Umbraco CMS 4.7.0.378. The payload is uploaded as an ASPX script by sending a specially crafted SOAP request to codeEditorSave.asmx, which permits unauthorized file upload via the SaveDLRScript operation. SaveDLRScript is also subject to a path...

Basilic 1.5.14 diff.php Arbitrary Command Execution

This module abuses a metacharacter injection vulnerability in the diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary commands as the www-data user account. This module requires Metasploit: https://metasploit.com/download Current source:...

WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal

This module exploits the WANGKONGBAO CNS-1000 and 1100 UTM appliances aka Network Security Platform. This directory traversal vulnerability is interesting because the apache server is running as root, this means we can grab anything we want! For instance, the /etc/shadow and /etc/passwd files for...

Tiki Wiki unserialize() PHP Code Execution

This module exploits a php unserialize vulnerability in Tiki Wiki 'Tiki Wiki unserialize PHP Code Execution', 'Description' = %q This module exploits a php unserialize vulnerability in Tiki Wiki = 8.3 which could be abused to allow unauthenticated users to...

Poison Ivy Server Buffer Overflow

This module exploits a stack buffer overflow in the Poison Ivy 2.2.0 to 2.3.2 C server. The exploit does not need to know the password chosen for the bot/server communication. This module requires Metasploit: https://metasploit.com/download Current source:...

IBM Rational ClearQuest CQOle Remote Code Execution

This module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest HttpClients::IE, :uaminver = "6.0", :uamaxver = "7.0", :javascript = true, :osname = OperatingSystems::Match::WINDOWS, :classid = "94773112-72E8-11D0-A42E-00A024DED613", :method =...

Windows Gather Unattended Answer File Enumeration

This module will check the file system for a copy of unattend.xml and/or autounattend.xml found in Windows Vista, or newer Windows systems. And then extract sensitive information such as usernames and decoded passwords. Also checks for '.vmimport' files that could have been created by the AWS EC2...

WPAD.dat File Server

This module generates a valid wpad.dat file for WPAD mitm attacks. Usually this module is used in combination with DNS attacks or the 'NetBIOS Name Service Spoofer' module. Please remember as the server will be running by default on TCP port 80 you will need the required privileges to open that...

Irfanview JPEG2000 jp2 Stack Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in version 'Irfanview JPEG2000 jp2 Stack Buffer Overflow', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability in version = 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been tested on ...

HP Data Protector Create New Folder Buffer Overflow

This module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this...

Windows Gather TCP Netstat

This Module lists current TCP sessions This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather TCP Netstat', 'Description' = %q This Module lists current TCP sessions, 'License' =...

Apple QuickTime TeXML Style Element Stack Buffer Overflow

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style...

Atlassian Crowd XML Entity Expansion Remote File Access

This module simply attempts to read a remote file from the server using a vulnerability in the way Atlassian Crowd handles XML files. The vulnerability occurs while trying to expand external entities with the SYSTEM identifier. This module has been tested successfully on Linux and Windows...

MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass

This module bypasses basic authentication for Internet Information Services IIS. By appending the NTFS stream name to the directory name in a request, it is possible to bypass authentication. This module requires Metasploit: https://metasploit.com/download Current source:...

LLMNR Spoofer

LLMNR Link-local Multicast Name Resolution is the successor of NetBIOS Windows Vista and up and is used to resolve the names of neighboring computers. This module forges LLMNR responses by listening for LLMNR requests sent to the LLMNR multicast address 224.0.0.252 and responding with a...

Openfire Admin Console Authentication Bypass

This module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This module has been tested against Openfire 3.6.0...

Apple iTunes 10 Extended M3U Stack Buffer Overflow

This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an "EXTINF:" tag description, iTunes will copy the content after "EXTINF:" without appropriate checking from a heap buffer to a stack buffer, writing beyond the stack buffer...

Adobe Flash Player Object Type Confusion

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 "error" response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "World Uyghur Congress...

Windows Gather Generic File Collection

This module downloads files recursively based on the FILEGLOBS option. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Generic File Collection', 'Description' = %q This module...

Adobe Flash Player AVM Verification Logic Array Indexing Code Execution

This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JITJust-In-Time code being executed. This is the same vulnerability that was used for attacks against...

Windows Gather TortoiseSVN Saved Password Extraction

This module extracts and decrypts saved TortoiseSVN passwords. In order for decryption to be successful this module must be executed under the same privileges as the user which originally encrypted the password. This module requires Metasploit: https://metasploit.com/download Current source:...

EZHomeTech EzServer Stack Buffer Overflow Vulnerability

This module exploits a stack buffer overflow in the EZHomeTech EZServer for versions 6.4.017 and earlier. If a malicious user sends packets containing an overly long string, it may be possible to execute a payload remotely. Due to size constraints, this module uses the Egghunter technique. This...

MySQL Authentication Bypass Password Dump

This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes are stored as loot for later cracking. Impacts MySQL versions: - 5.1.x before 5.1.63 - 5.5.x before 5.5.24 - 5.6.x before 5.6.6 And...

Intersil (Boa) HTTPd Basic Authentication Password Reset

The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11 allows basic authentication bypass when the user string is greater than 127 bytes long. The long string causes the password to be overwritten in memory, which enables the attacker to reset the password. In addition, the malicious...

F5 BIG-IP SSH Private Key Exposure

F5 ships a public/private key pair on BIG-IP appliances that allows passwordless authentication to any other BIG-IP box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. This module requires Metasploit: https://metasploit.com/download Current...

MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption

This module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the getDefinition API, which may corrupt memory allowing remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...