OS X Gather Chicken of the VNC Profile

This module will download the "Chicken of the VNC" client application's profile file, which is used to store other VNC servers' information such as the IP and password. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

DNS TXT Record Payload Download and Execution

Performs a TXT query against a series of DNS records and executes the returned x86 shellcode. The DNSZONE option is used as the base name to iterate over. The payload will first request the TXT contents of the a hostname, followed by b, then c, etc. until there are no more records. For each recor...

Dell Webcam CrazyTalk ActiveX BackImage Vulnerability

This module exploits a vulnerability in Dell Webcam's CrazyTalk component. Specifically, when supplying a long string for a file path to the BackImage property, an overflow may occur after checking certain file extension names, resulting in remote code execution under the context of the user. Thi...

MS12-020 Microsoft Remote Desktop Use-After-Free DoS

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service...

SNMP Community Login Scanner

This module logs in to SNMP devices using common community names. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/communitystringcollection' require 'metasploit/framework/loginscanner/snm...

OS X Gather Adium Enumeration

This module will collect Adium's account plist files and chat logs from the victim's machine. There are three different actions you may choose: ACCOUNTS, CHATS, and ALL. Note that to use the 'CHATS' action, make sure you set the regex 'PATTERN' option in order to look for certain log names which...

Linux Gather Configurations

This module collects configuration files found on commonly installed applications and services, such as Apache, MySQL, Samba, Sendmail, etc. If a config file is found in its default path, the module will assume that is the file we want. This module requires Metasploit:...

Sockso Music Host Server 1.5 Directory Traversal

This module exploits a directory traversal bug in Sockso on port 4444. This is done by using "../" in the path to retrieve a file on a vulnerable machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Linux Gather Protection Enumeration

This module checks whether popular system hardening mechanisms are in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also tries to find installed applications that can be used to hinder, prevent, or detect attacks, such as tripwire, snort, and apparmor. This module is meant to identif...

Ruby On Rails Attributes Mass Assignment Scanner

This module scans Ruby On Rails sites for models with attributes not protected by attrprotected or attraccessible. After attempting to assign a non-existent field, the default rails with activerecord setup will raise an ActiveRecord::UnknownAttributeError exception, and reply with HTTP code 500...

NetDecision NOCVision Server Directory Traversal

This module exploits a directory traversal bug in NetDecision's TrafficGrapherServer.exe service. This is done by using "..." in the path to retrieve a file on a vulnerable machine. This module requires Metasploit: https://metasploit.com/download Current source:...

Linux Command Shell, Find Port Inline

Spawn a shell on an established connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 98 include Msf::Payload::Single include Msf::Payload::Linux::X64::Prepends include...

Linux Gather User History

This module gathers the following user-specific information: shell history, MySQL history, PostgreSQL history, MongoDB history, Vim history, lastlog, and sudoers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

NetDecision 4.5.1 HTTP Server Buffer Overflow

This module exploits a vulnerability found in NetDecision's HTTP service located in C:\Program Files\NetDecision\Bin\HttpSvr.exe. By supplying a long string of data to the URL, an overflow may occur if the data gets handled by HTTP Server's active window. In other words, in order to gain remote...

Linux Gather System and User Information

This module gathers system information. We collect installed packages, installed services, mount information, user list, user bash history and cron jobs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Linux Gather Network Information

This module gathers network information from the target system IPTables rules, interfaces, wireless information, open and listening ports, active network connections, DNS information and SSH information. This module requires Metasploit: https://metasploit.com/download Current source:...

Apple Filing Protocol Login Utility

This module attempts to bruteforce authentication credentials for AFP. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'openssl' require 'metasploit/framework/credentialcollection' require...

Adobe Flash Player MP4 'cprt' Overflow

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "Iran's Oil and Nuclear...

Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow

This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file specifically the Sequence Parameter Set, Flash will see if picordercnttype is equal to 1, which sets the numrefframesinpicordercntcycle field, and then blindly copies data in...

LotusCMS 3.0 eval() Remote Command Execution

This module exploits a vulnerability found in Lotus CMS 3.0's Router function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call, therefore allowing remote code execution. The module can either automatically pick up a 'page' parameter from the default...

Squid Proxy Port Scanner

A exposed Squid proxy will usually allow an attacker to make requests on their behalf. If misconfigured, this may give the attacker information about devices that they cannot normally reach. For example, an attacker may be able to make requests for internal IP addresses against an open Squid prox...

Sysax 5.53 SSH Username Buffer Overflow

This module exploits a vulnerability found in Sysax's SSH service. By supplying a long username, the SSH server will copy that data on the stack without proper bounds checking, therefore allowing remote code execution under the context of the user. Please note that previous versions before 5.53 a...

Apple Filing Protocol Info Enumerator

This module fetches AFP server information, including server name, network address, supported AFP versions, signature, machine type, and server flags. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

HTTP Blind SQL Injection Scanner

This module identifies the existence of Blind SQL injection issues in GET/POST Query parameters values. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Blind SQL Injection Scanner',...

DJ Studio Pro 5.1 .pls Stack Buffer Overflow

This module exploits a stack-based buffer overflow in DJ Studio Pro 5.1.6.5.2. When handling a .pls file, DJ Studio will copy the user-supplied data on the stack without any proper bounds checking done beforehand, therefore allowing code execution under the context of the user. This module requir...

VLC Media Player RealText Subtitle Overflow

This module exploits a stack buffer overflow vulnerability in VideoLAN VLC 'VLC Media Player RealText Subtitle Overflow', 'Description' = %q This module exploits a stack buffer overflow vulnerability in VideoLAN VLC MSFLICENSE, 'Author' = 'Tobias Klein', Vulnerability Discovery 'SkD', Exploit 'ju...

IBM Personal Communications iSeries Access WorkStation 5.9 Profile

The IBM Personal Communications I-Series application WorkStation is susceptible to a stack-based buffer overflow vulnerability within file parsing in which data copied to a location in memory exceeds the size of the reserved destination area. The buffer is located on the runtime program stack. Wh...

ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow

This module exploits a vulnerability found in ASUS Net4Switch's ipswcom.dll ActiveX control. A buffer overflow condition is possible in multiple places due to the use of the CxDbgPrint function, which allows remote attackers to gain arbitrary code execution under the context of the user. This...

MongoDB Login Utility

This module attempts to brute force authentication credentials for MongoDB. Note that, by default, MongoDB does not require authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mongo...

HP Data Protector 6 EXEC_CMD Remote Code Execution

This exploit abuses a vulnerability in the HP Data Protector service. This flaw allows an unauthenticated attacker to take advantage of the EXECCMD command and traverse back to /bin/sh, this allows arbitrary remote code execution under the context of root. This module requires Metasploit:...

Lantronix Telnet Service Banner Detection

Detect Lantronix telnet services This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Lantronix Telnet Service Banner Detection', 'Description' = 'Detect Lantronix telnet services', 'Author' =...

Sun Java Web Start Plugin Command Line Argument Injection

This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the...

TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow

This module exploits a vulnerability in the CmdProcessor.exe component of Trend Micro Control Manger up to version 5.5. The specific flaw exists within CmdProcessor.exe service running on TCP port 20101. The vulnerable function is the CGenericScheduler::AddTask function of...

Orbit Downloader URL Unicode Conversion Overflow

This module exploits a stack-based buffer overflow in Orbit Downloader. The vulnerability is due to Orbit converting a URL ascii string to unicode in an insecure way with MultiByteToWideChar. The vulnerability is exploited with a specially crafted metalink file that should be opened with Orbit...

Capture: HTTP JavaScript Keylogger

This modules runs a web server that demonstrates keystroke logging through JavaScript. The DEMO option can be set to enable a page that demonstrates this technique. Future improvements will allow for a configurable template to be used with this module. To use this module with an existing web page...

MS12-004 midiOutPlayNextPolyEvent Heap Overflow

This module exploits a heap overflow vulnerability in the Windows Multimedia Library winmm.dll. The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a speciall...

DB2 Authentication Brute Force Utility

This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework requi...

Microsoft SQL Server Payload Execution

This module executes an arbitrary payload on a Microsoft SQL Server by using the "xpcmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method present...

VNC Authentication Scanner

This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method. This module requires Metasploit: https://metasploit.com/download Current source:...

Microsoft IIS HTTP Internal IP Disclosure

Collect any leaked internal IPs by requesting commonly redirected locations from IIS. CVE-2000-0649 references IIS 5.1 win2k, XP and older. However, in newer servers such as IIS 7+, this occurs when the alternateHostName is not set or misconfigured. Also collects internal IPs leaked from the...

VMWare Authentication Daemon Version Scanner

This module will identify information about a host through the vmauthd service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VMWare Authentication Daemon Version Scanner', 'Description' = %q...

Windows Escalate SMB Icon LNK Dropper

This module drops a shortcut LNK file that has a ICON reference existing on the specified remote host, causing SMB and WebDAV connections to be initiated from any user that views the shortcut. This module requires Metasploit: https://metasploit.com/download Current source:...

Horde 3.3.12 Backdoor Arbitrary PHP Code Execution

This module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Horde...

VMWare Enumerate Permissions

This module will log into the Web API of VMWare and try to enumerate all the user/group permissions. Unlike enum users this is only users and groups that specifically have permissions defined within the VMware product This module requires Metasploit: https://metasploit.com/download Current source...

VMWare Tag Virtual Machine

This module will log into the Web API of VMWare and 'tag' a specified Virtual Machine. It does this by logging a user event with user supplied text This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModul...

VMWare Enumerate User Accounts

This module will log into the Web API of VMWare and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well. This module requires Metasploit: https://metasploit.com/download Current source:...

VMWare ESX/ESXi Fingerprint Scanner

This module accesses the web API interfaces for VMware ESX/ESXi servers and attempts to identify version information for that server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VMWare...

VMWare Terminate ESX Login Sessions

This module will log into the Web API of VMWare and try to terminate user login sessions as specified by the session keys. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VMWare Terminate ESX...

Java MixerSequencer Object GM_Song Structure Handling Vulnerability

This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GMSong structure is populated with a function pointe...

VMWare Enumerate Active Sessions

This module will log into the Web API of VMWare and try to enumerate all the login sessions. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VMWare Enumerate Active Sessions', 'Description' = %...