6843 matches found
OP5 license.php Remote Command Execution
This module exploits an arbitrary root command execution vulnerability in the OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable. This module requires Metasploit: https://metasploit.com/download Current source:...
AIX Gather Dump Password Hashes
Post Module to dump the password hashes for all users on an AIX System This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'AIX Gather Dump Password Hashes', 'Description' = %q Post Module to dump t...
Windows Gather File and Registry Artifacts Enumeration
This module will check the file system and registry for particular artifacts. The list of artifacts is read in YAML format from data/post/enumartifactslist.txt or a user specified file. Any matches are written to the loot. This module requires Metasploit: https://metasploit.com/download Current...
Sybase Easerver 6.3 Directory Traversal
This module exploits a directory traversal vulnerability found in Sybase EAserver's Jetty webserver on port 8000. Code execution seems unlikely with EAserver's default configuration unless the web server allows WRITE permission. This module requires Metasploit: https://metasploit.com/download...
XAMPP WebDAV PHP Upload
This module exploits weak WebDAV passwords on XAMPP servers. It uses supplied credentials to upload a PHP payload and execute it. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'XAMPP WebDAV PH...
MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
This bug is triggered when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window' JavaScript function. This exploit results in a call to an address lower than the heap. The javascript prompt places our shellcode near where the call operand points...
Adobe Reader U3D Memory Corruption Vulnerability
This module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially crafted U3D data into a PDF document. A hea...
Windows Manage Get Shadow Copy Storage Info
This module will attempt to get volume shadow copy storage info. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later...
Windows Manage List Shadow Copies
This module will attempt to list any Volume Shadow Copies on the system. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later...
Windows Manage Create Shadow Copy
This module will attempt to create a new volume shadow copy. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later...
Windows Manage Set Shadow Copy Storage Space
This module will attempt to change the amount of space for volume shadow copy storage. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later...
Windows Manage Mount Shadow Copy
This module will attempt to mount a Volume Shadow Copy on the system. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. Works on win2k3 and later...
CoCSoft StreamDown 6.8.0 Buffer Overflow
Stream Down 6.8.0 seh based buffer overflow triggered when processing the server response packet. During the overflow a structured exception handler is overwritten. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...
CorpWatch Company Name Information Search
This module interfaces with the CorpWatch API to get publicly available info for a given company name. Please note that by using CorpWatch API, you acknowledge the limitations of the data CorpWatch provides, and should always verify the information with the official SEC filings before taking any...
CorpWatch Company ID Information Search
This module interfaces with the CorpWatch API to get publicly available info for a given CorpWatch ID of the company. If you don't know the CorpWatch ID, please use the corpwatchlookupname module first. This module requires Metasploit: https://metasploit.com/download Current source:...
Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
This module exploits a buffer overflow in the encryption option handler of the Linux BSD-derived telnet service inetutils or krb5-telnet. Most Linux distributions use NetKit-derived telnet daemons, so this flaw only applies to a small subset of Linux systems running telnetd. -- coding: binary --...
FreeBSD Telnet Service Encryption Key ID Buffer Overflow
This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service. -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FreeBSD Telnet Servic...
Telnet Service Encryption Key ID Overflow Detection
Detect telnet services vulnerable to the encrypt option Key ID overflow BSD-derived telnetd This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Telnet Service Encryption Key ID Overflow Detection',...
Plone and Zope XMLTools Remote Command Execution
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p class in OFS/misc.py and the use of Python modules. This module requires Metasploit:...
OpenTFTP SP 1.4 Error Packet Overflow
This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable condition triggers when the TFTP opcode is configured as an error packet, the TFTP service will then format the message using a sprintf function, which causes an overflow, therefore allowing remote code execution und...
Oracle Job Scheduler Named Pipe Command Execution
This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job Scheduler is implemented via the component extjob.exe which listens on a named pipe called "orcljsex" and execute arbitrary commands received over this channel via CreateProcess. In order to connect to the Named...
Splunk Search Remote Code Execution
This module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the 'mappy' search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin role is required. By default,...
TFTP File Transfer Utility
This module will transfer a file to or from a remote TFTP server. Note that the target must be able to connect back to the Metasploit system, and NAT traversal for TFTP is often unsupported. Two actions are supported: "Upload" and "Download," which behave as one might expect -- use 'set action...
OKI Printer Default Login Credential Scanner
This module scans for OKI printers via SNMP, then tries to connect to found devices with vendor default administrator credentials via HTTP authentication. By default, OKI network printers use the last six digits of the MAC as admin password. This module requires Metasploit:...
CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure
This module sends a query to the port 264/TCP on CheckPoint Firewall-1 firewalls to obtain the firewall name and management station such as SmartCenter name via a pre-authentication request. The string returned is the CheckPoint Internal CA CN for SmartCenter and the firewall host. Whilst...
Novell eDirectory eMBox Unauthenticated File Access
This module will access Novell eDirectory's eMBox service and can run the following actions via the SOAP interface: GETDN, READLOGS, LISTSERVICES, STOPSERVICE, STARTSERVICE, SETLOGFILE. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Gather RazorSQL Credentials
This module stores username, password, type, host, port, database and name collected from profiles.txt of RazorSQL. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'openssl' class MetasploitModule 'Windows...
Unix Command Shell, Bind TCP (via perl) IPv6
Listen for a connection and spawn a command shell via perl This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 152 include Msf::Payload::Single include Msf::Sessions::CommandShellOptio...
Unix Command Shell, Bind TCP (via Ruby) IPv6
Continually listen for a connection and spawn a command shell via Ruby This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 142 include Msf::Payload::Single include...
Windows Command Shell, Bind TCP (via perl) IPv6
Listen for a connection and spawn a command shell via perl persistent This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 140 include Msf::Payload::Single include...
Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION
This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMSCDCSUBSCRIBE.ACTIVATESUBSCRIPTION package/function. This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4. This module requires Metasploit:...
PmWiki pagelist.php Remote PHP Code Injection Exploit
This module exploits an arbitrary command execution vulnerability in PmWiki from 2.0.0 to 2.2.34. The vulnerable function is inside /scripts/pagelist.php. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Traq admincp/common.php Remote Code Execution
This module exploits an arbitrary command execution vulnerability in Traq 2.0 to 2.3. It's in the admincp/common.php script. This function is called in each script located in the /admicp/ directory to make sure the user has admin rights. This is a broken authorization schema because the header...
SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow
This module exploits a remote stack buffer overflow vulnerability in 3S-Smart Software Solutions product CoDeSys Scada Web Server Version 1.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and earlier. This module requires Metasploit: https://metasploit.com/download Current source:...
Yaws Web Server Directory Traversal
This module exploits a directory traversal bug in Yaws v1.9.1 or less. The module can only be used to retrieve files. However, code execution might be possible. Because when the malicious user sends a PUT request, a file is actually created, except no content is written. This module requires...
Family Connections less.php Remote Command Execution
This module exploits an arbitrary command execution vulnerability in Family Connections 2.7.1. It's in the dev/less.php script and is due to an insecure use of system. Authentication isn't required to exploit the vulnerability but registerglobals must be set to On. This module requires Metasploit...
Ability Server 2.34 STOR Command Stack Buffer Overflow
This module exploits a stack-based buffer overflow in Ability Server 2.34. Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands, which leads to a stack based buffer overflow. This plugin uses the 'STOR' command. The vulnerability has been confirmed on version 2.34 and...
DNS and DNSSEC Fuzzer
This module will connect to a DNS server and perform DNS and DNSSEC protocol-level fuzzing. Note that this module may inadvertently crash the target server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require...
Linux Command Shell, Reverse TCP Inline
Connect to target and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 208 include Msf::Payload::Single include Msf::Payload::Linux::Armle::Prepends include...
Shodan Search
This module uses the Shodan API to search Shodan. Accounts are free and an API key is required to use this module. Output from the module is displayed to the screen and can be saved to a file or the MSF database. NOTE: SHODAN filters i.e. port, hostname, os, geo, city can be used in queries, but...
Windows Gather Privileges Enumeration
This module will print if UAC is enabled, and if the current account is ADMIN enabled. It will also print UID, foreground SESSION ID, is SYSTEM status and current process PRIVILEGES. This module requires Metasploit: https://metasploit.com/download Current source:...
IpSwitch WhatsUp Gold TFTP Directory Traversal
This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp Gold's TFTP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "IpSwitch WhatsUp Gold TFTP Directory Traversal...
CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening a m3u playlist with a long track name, a SEH exception record can be overwritten with parts of the controllable buffer. SEH execution is triggered after an invalid read of an injectable address, thus allowing arbitrary...
Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow
This module exploits a stack buffer overflow in process AvidPhoneticIndexer.exe port 4659, which comes as part of the Avid Media Composer 5.5 Editing Suite. This daemon sometimes starts on a different port; if you start it standalone it will run on port 4660. This module requires Metasploit:...
H.323 Version Scanner
Detect H.323 Version. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'H.323 Version Scanner', 'Description' = 'Detect H.323 Version.', 'Author' = 'hdm', 'License' = MSFLICENSE registeroptions...
Serv-U FTP Server Buffer Overflow
This module exploits a stack buffer overflow in the site chmod command in versions of Serv-U FTP Server prior to 4.2. You must have valid credentials to trigger this vulnerability. Exploitation also leaves the service in a non-functional state. This module requires Metasploit:...
Java Applet Rhino Script Engine Remote Code Execution
This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java for example: IE, Firefox,...
CTEK SkyRouter 4200 and 4300 Command Execution
This module exploits an unauthenticated remote root exploit within ctek SkyRouter 4200 and 4300. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CTEK SkyRouter 4200 and 4300 Command Execution',...
John the Ripper Oracle Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired from the oraclehashdump module. Passwords that have been successfully cracked are then saved as proper credentials...
Microsoft IIS FTP Server LIST Stack Exhaustion
This module triggers Denial of Service condition in the Microsoft Internet Information Services IIS FTP Server 5.0 through 7.0 via a list ls -R command containing a wildcard. For this exploit to work in most cases, you need 1 a valid ftp account: either read-only or write-access account 2 the "FT...