6843 matches found
Firefox 8/9 AttributeChildRemoved() Use-After-Free
This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after...
RuggedCom Telnet Password Generator
This module will calculate the password for the hard-coded hidden username "factory" in the RuggedCom Rugged Operating System ROS. The password is dynamically generated based on the devices MAC address. This module requires Metasploit: https://metasploit.com/download Current source:...
Distinct TFTP 3.10 Writable Directory Traversal Execution
This module exploits a directory traversal vulnerability in the TFTP Server component of Distinct Intranet Servers version 3.10 which allows a remote attacker to write arbitrary files to the server file system, resulting in code execution under the context of 'SYSTEM'. This module has been tested...
WikkaWiki 1.3.2 Spam Logging PHP Injection
This module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the UserAgent header, and then request it to execute our payload. There are at least three different ways to trigger spam protection, thi...
PHP CGI Argument Injection
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: "if there is NO unescaped '=' in the query string, the string is split on...
Firefox nsSVGValue Out-of-Bounds Access Vulnerability
This module exploits an out-of-bounds access flaw in Firefox 7 and 8 'Firefox nsSVGValue Out-of-Bounds Access Vulnerability', 'Description' = %q This module exploits an out-of-bounds access flaw in Firefox 7 and 8 = 8.0.1. The notification of nsSVGValue observers via nsSVGValue::NotifyObserversx,...
Solarwinds Storage Manager 5.1.0 SQL Injection
This module exploits a SQL injection found in Solarwinds Storage Manager login interface. It will send a malicious SQL query to create a JSP file under the web root directory, and then let it download and execute our malicious executable under the context of SYSTEM. This module requires Metasploi...
Java RMI Server Insecure Endpoint Code Execution Scanner
Detect Java RMI endpoints This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/java/serialization' class MetasploitModule 'Java RMI Server Insecure Endpoint Code Execution Scanner', 'Description' = 'Detect Jav...
VLC MMS Stream Handling Buffer Overflow
This module exploits a buffer overflow in VLC media player VLC media player prior to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result in a stack buffer overflow when handling a malicious MMS URI. This module uses the browser as attack vector. A specially crafted MMS...
McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability
This module exploits a vulnerability found in McAfee Virtual Technician's MVTControl. This ActiveX control can be abused by using the GetObject function to load additional unsafe classes such as WScript.Shell, therefore allowing remote code execution under the context of the user. This module...
WebCalendar 1.2.4 Pre-Auth Remote Code Injection
This module exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or less. If not removed, the settings.php script meant for installation can be update by an attacker, and then inject code in it. This allows arbitrary code execution as www-data. This module requires Metasploit:...
Multi Generic Operating System Session Command Execution
This module executes an arbitrary command line This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Generic Operating System Session Command Execution', 'Description' = %q This module executes...
MS12-027 MSCOMCTL ActiveX Buffer Overflow
This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with...
Shadow Stream Recorder 3.0.1.7 Buffer Overflow
This module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7. Using the application to open a specially crafted asx file, a buffer overflow may occur to allow arbitrary code execution under the context of the user. This module requires Metasploit: https://metasploit.com/download Curre...
UDP Wake-On-Lan (WOL)
This module will turn on a remote machine with a network card that supports wake-on-lan or MagicPacket. In order to use this, you must know the machine's MAC address in advance. The current default MAC address is just an example of how your input should look like. The password field is optional. ...
TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw is due to the way TFTP handles the filename parameter extracted from a WRQ request. The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, and then attempt to check this...
V-CMS Login Utility
This module attempts to authenticate to an English-based V-CMS login interface. It should only work against version v1.1 or older, because these versions do not have any default protections against brute forcing. This module requires Metasploit: https://metasploit.com/download Current source:...
John the Ripper MySQL Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired from the mysqlhashdump module. Passwords that have been successfully cracked are then saved as proper credentials...
xRadio 0.95b Buffer Overflow
This module exploits a buffer overflow in xRadio 0.95b. Using the application to import a specially crafted xrl file, a buffer overflow occurs allowing arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current source:...
Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)
This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...
GSM SIM Editor 5.15 Buffer Overflow
This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer overflow occurs which allows an attacker to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current...
V-CMS PHP File Upload and Execute
This module exploits a vulnerability found on V-CMS's inline image upload feature. The problem is due to the inlineimageupload.php file not checking the file type before saving it on the web server. This allows any malicious user to upload a script such as PHP without authentication, and then...
CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit
This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x The vulnerability is triggered when opening a malformed p2g file containing an overly long string in the 'name' attribute of the file element. This results in overwriting a structured exception handler record. This...
Quest InTrust Annotation Objects Uninitialized Pointer
This module exploits an uninitialized variable vulnerability in the Annotation Objects ActiveX component. The ActiveX component loads into memory without opting into ALSR so this module exploits the vulnerability against windows Vista and Windows 7 targets. A large heap spray is required to fulfi...
Adobe Flash Player ActionScript Launch Command Execution Vulnerability
This module exploits a vulnerability in Adobe Flash Player for Linux, version 10.0.12.36 and 9.0.151.0 and prior. An input validation vulnerability allows command execution when the browser loads a SWF file which contains shell metacharacters in the arguments to the ActionScript launch method. Th...
Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
Mozilla Firefox before version 41 allowed users to install unsigned browser extensions from arbitrary web servers. This module dynamically creates an unsigned .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page. The victim's Firefox browser will pop...
IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile() Method Overflow
This module exploits a buffer overflow vulnerability in the Isig.isigCtl.1 ActiveX installed with IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1. The vulnerability is found in the "RunAndUploadFile" method where the "OtherFields" parameter with user controlled data is use...
Dolibarr ERP/CRM Login Utility
This module attempts to authenticate to a Dolibarr ERP/CRM's admin web interface, and should only work against version 3.1.1 or older, because these versions do not have any default protections against brute forcing. This module requires Metasploit: https://metasploit.com/download Current source:...
Dolibarr ERP/CRM Post-Auth OS Command Injection
This module exploits a vulnerability found in Dolibarr ERP/CRM 3's backup feature. This software is used to manage a company's business information such as contacts, invoices, orders, stocks, agenda, etc. When processing a database backup request, the export.php function does not check the input...
LANDesk Lenovo ThinkManagement Console Remote Command Execution
This module can be used to execute a payload on LANDesk Lenovo ThinkManagement Suite 9.0.2 and 9.0.3. The payload is uploaded as an ASP script by sending a specially crafted SOAP request to "/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx" , via a "RunAMTCommand" operation with the...
ICMP Exfiltration Service
This module is designed to provide a server-side component to receive and store files exfiltrated over ICMP echo request packets. To use this module you will need to send an initial ICMP echo request containing the specific start trigger defaults to '^BOF' this can be followed by the filename bei...
TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow
This module exploits a vulnerability found in TRENDnet SecurView Internet Camera's ActiveX control. By supplying a long string of data as the sFilter argument of the OpenFileDlg function, it is possible to trigger a buffer overflow condition due to WideCharToMultiByte which converts unicode back ...
Csound hetro File Handling Stack Buffer Overflow
This module exploits a buffer overflow in Csound before 5.16.6. The overflow occurs when trying to import a malicious hetro file from tabular format. In order to achieve exploitation the user should import the malicious file through csound with a command like "csound -U hetimport msf.csd file.het...
Schneider Modicon Remote START/STOP Command
The Schneider Modicon with Unity series of PLCs use Modbus function code 90 0x5a to perform administrative commands without authentication. This module allows a remote user to change the state of the PLC between STOP and RUN, allowing an attacker to end process control by the PLC. This module is...
General Electric D20ME TFTP Server Buffer Overflow DoS
By sending a malformed TFTP request to the GE D20ME, it is possible to crash the device. This module is based on the original 'd20ftpbo.rb' Basecamp module from DigitalBond. This module requires Metasploit: https://metasploit.com/download Current source:...
Schneider Modicon Ladder Logic Upload/Download
The Schneider Modicon with Unity series of PLCs use Modbus function code 90 0x5a to send and receive ladder logic. The protocol is unauthenticated, and allows a rogue host to retrieve the existing logic and to upload new logic. Two modes are supported: "SEND" and "RECV," which behave as one might...
Schneider Modicon Quantum Password Recovery
The Schneider Modicon Quantum series of Ethernet cards store usernames and passwords for the system in files that may be retrieved via backdoor access. This module is based on the original 'modiconpass.rb' Basecamp module from DigitalBond. This module requires Metasploit:...
Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands
The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which implements the protocol. This module implements the CPU STOP command, as well as the ability to crash the Ethernet card in an affected device. This module is based on the original 'ethernetip-multi.rb' Basecam...
Koyo DirectLogic PLC Password Brute Force Utility
This module attempts to authenticate to a locked Koyo DirectLogic PLC. The PLC uses a restrictive passcode, which can be A0000000 through A9999999. The "A" prefix can also be changed by the administrator to any other character, which can be set through the PREFIX option of this module. This modul...
NetOp Remote Control Client 9.5 Buffer Overflow
This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5. When opening a .dws file containing a specially crafted string longer then 520 characters will allow an attacker to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current...
Linux Gather XChat Enumeration
This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply...
OS X Gather Colloquy Enumeration
This module will collect Colloquy's info plist file and chat logs from the victim's machine. There are three actions you may choose: INFO, CHATS, and ALL. Please note that the CHAT action may take a long time depending on the victim machine, therefore we suggest to set the regex 'PATTERN' option ...
Java AtomicReferenceArray Type Violation Vulnerability
This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform maliciou...
OS X Gather Airport Wireless Preferences
This module will download OS X Airport Wireless preferences from the victim machine. The preferences file which is a plist contains information such as: SSID, Channels, Security Type, Password ID, etc. This module requires Metasploit: https://metasploit.com/download Current source:...
UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for...
FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
This module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callmepage.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callmestartcall in order to gain remote code execution. Please note in order to use this modu...
HP Data Protector 6.1 EXEC_CMD Command Execution
This module exploits HP Data Protector's omniinet process, specifically against a Windows setup. When an EXECCMD packet is sent, omniinet.exe will attempt to look for that user-supplied filename with kernel32!FindFirstFileW. If the file is found, the process will then go ahead execute it with...
Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow
This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP service. By supplying a long string of data to the USER command, it is possible to trigger a stack-based buffer overflow, which allows remote code execution under the context of the user. Please note that in order to trigger...
Apache Struts Remote Command Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 'Apache Struts Remote Command Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions...
MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
This module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the...