SAP URL Scanner

This module scans for commonly found SAP Internet Communication Manager URLs and outputs return codes for the user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP URL Scanner', 'Descriptio...

HP Power Manager 'formExportDataLogs' Buffer Overflow

This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'. By creating a malformed request specifically for the fileName parameter, a stack-based buffer overflow occurs due to a long error message which contains the fileName, which may result in arbitrary remote code...

Multi Gather DNS Service Record Lookup Scan

Enumerates known SRV Records for a given domain using target host DNS query tool. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather DNS Service Record Lookup Scan', 'Description' = %...

Multi Gather DNS Forward Lookup Bruteforce

Brute force subdomains and hostnames via wordlist. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather DNS Forward Lookup Bruteforce', 'Description' = %q Brute force subdomains and...

Multi Manage System Remote TCP Shell Session

This module will create a Reverse TCP Shell on the target system using the system's own scripting environments installed on the target. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi...

Windows Gather Credential Store Enumeration and Decryption Module

This module will enumerate the Microsoft Credential Store and decrypt the credentials. This module can only access credentials created by the user the process is running as. It cannot decrypt Domain Network Passwords, but will display the username and location. This module requires Metasploit:...

Cross Platform Webkit File Dropper

This module exploits a XSLT vulnerability in Webkit to drop ASCII or UTF-8 files to the target file-system. By default, the file will be dropped in C:\Program Files\ This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework cla...

Apple Safari Webkit libxslt Arbitrary File Creation

This module exploits a file creation vulnerability in the Webkit rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This module has been...

Cisco Network Access Manager Directory Traversal Vulnerability

This module tests whether a directory traversal vulnerability is present in versions of Cisco Network Access Manager 4.8.x You may wish to change FILE e.g. passwd or hosts, MAXDIRS and RPORT depending on your environment. This module requires Metasploit: https://metasploit.com/download Current...

Oracle Password Hashdump

This module dumps the usernames and password hashes from Oracle given the proper Credentials and SID. These are then stored as creds for later cracking using auxiliary/analyze/jtroraclefast. This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c. This module requires Metasploit:...

Multi Gather OpenSSH PKI Credentials Collection

This module will collect the contents of all users' .ssh directories on the targeted machine. Additionally, knownhosts and authorizedkeys and any other files are also downloaded. This module is largely based on firefoxcreds.rb. This module requires Metasploit: https://metasploit.com/download...

HTTP Page Scraper

Scrape defined data from a specific web page based on a regular expression This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Page Scraper', 'Description' = 'Scrape defined data from a specif...

Apple Safari file:// Arbitrary Code Execution

This module exploits a vulnerability found in Apple Safari on OS X platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the...

Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability

This module exploits a stack-based buffer overflow vulnerability in version 7.5.1 86 of Real Networks Netzip Classic. In order for the command to be executed, an attacker must convince someone to load a specially crafted zip file with NetZip Classic. By doing so, an attacker can execute arbitrary...

Microsoft Windows Browser Pool DoS

This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an...

Mozilla Firefox Array.reduceRight() Integer Overflow

This module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight method may cause an invalid index being used, allowing arbitrary remote code execution. Please note that the exploit requires a longer amount of time...

Cisco Gather Device General Information

This module collects a Cisco IOS or NXOS device information and configuration...

Multi Gather DNS Reverse Lookup Scan

Performs DNS reverse lookup using the OS included DNS query command. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather DNS Reverse Lookup Scan', 'Description' = %q Performs DNS rever...

Multi Gather Ping Sweep

Performs IPv4 ping sweep using the OS included ping command. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather Ping Sweep', 'Description' = %q Performs IPv4 ping sweep using the OS...

Windows Manage Memory Payload Injection Module

This module will inject into the memory of a process a specified windows payload. If a payload or process is not provided one will be created by default using a reverse x86 TCP Meterpreter Payload...

PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability

This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0. By setting a dword value for the SaveObject or LoadObject, an attacker can overwrite a function pointer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Manage Process Migration

This module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Gather FTP Navigator Saved Password Extraction

This module extracts saved passwords from the FTP Navigator FTP client. It will decode the saved passwords and store them in the database. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Window...

TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability

This module exploits a stack-based buffer overflow vulnerability in the latest version 3.5 of TugZip archiving utility. In order to trigger the vulnerability, an attacker must convince someone to load a specially crafted zip file with TugZip by double click or file open. By doing so, an attacker...

Windows Gather Meebo Password Extractor

This module extracts login account password stored by Meebo Notifier, a desktop version of Meebo's Online Messenger. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Meebo Passwor...

Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS

The Beckhoff TwinCAT version 'Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS', 'Description' = %q The Beckhoff TwinCAT version 'Luigi Auriemma', Public exploit 'jfa', Metasploit module , 'License' = MSFLICENSE, 'References' = 'CVE', '2011-3486' , 'OSVDB', '75495' , 'URL',...

Apache Reverse Proxy Bypass Vulnerability Scanner

Scan for poorly configured reverse proxy servers. By default, this module attempts to force the server to make a request with an invalid domain name. Then, if the bypass is successful, the server will look it up and of course fail, then responding with a status code 502. A baseline status code is...

Windows Gather DynDNS Client Password Extractor

This module extracts the username, password, and hosts for DynDNS version 4.1.8. This is done by downloading the config.dyndns file from the victim machine, and then automatically decode the password field. The original copy of the config file is also saved to disk. This module requires Metasploi...

ACDSee FotoSlate PLP File id Parameter Overflow

This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via a specially crafted id parameter in a String element. When viewing a malicious PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a buffer and execute arbitrary code. This exploit has been teste...

Snortreport nmap.php/nbtscan.php Remote Command Execution

This module exploits an arbitrary command execution vulnerability in nmap.php and nbtscan.php scripts. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Snortreport nmap.php/nbtscan.php Remote...

ScriptFTP LIST Remote Buffer Overflow

AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow vulnerability that is triggered when processing a sufficiently long filename during a FTP LIST command resulting in overwriting the exception handler. Social engineering of executing a specially crafted ftp file by double click...

myBB 1.6.4 Backdoor Arbitrary Command Execution

myBB is a popular open source PHP forum software. Version 1.6.4 contained an unauthorized backdoor, distributed as part of the vendor's source package. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Windows Gather Internet Explorer User Data Enumeration

This module will collect history, cookies, and credentials from either HTTP auth passwords, or saved form passwords found in auto-complete in Internet Explorer. The ability to gather credentials is only supported for versions of IE =7, while history and cookies can be extracted for all versions...

Spreecommerce 0.60.1 Arbitrary Command Execution

This module exploits an arbitrary command execution vulnerability in the Spreecommerce search. Unvalidated input is called via the Ruby send method allowing command execution. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Manage Add User to the Domain and/or to a Domain Group

This module adds a user to the Domain and/or to a Domain group. It will check if sufficient privileges are present for certain actions and run getprivs for system. If you elevated privs to system, the SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to a process that is...

Windows Gather Enumerate Domain

This module identifies the primary Active Directory domain name and domain controller. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Enumerate Domain', 'Description' = %q This...

CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection

This module exploits a SQL injection flaw in CA Total Defense Suite R12. When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql statements into the ReportIDs element. This module requires...

Windows Gather Enumerate Domain Admin Tokens (Token Hunter)

This module enumerates Domain Admin account processes and delegation tokens. This module will first check if the session has sufficient privileges to replace process level tokens and adjust process quotas. The SeAssignPrimaryTokenPrivilege privilege will not be assigned if the session has been...

Windows Gather Screen Spy

This module will incrementally take desktop screenshots from the host. This allows for screen spying which can be useful to determine if there is an active user on a machine, or to record the screen for later data extraction. Note: As of March, 2014, the VIEWCMD option has been removed in favor o...

Apache Range Header DoS (Apache Killer)

The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service memory and CPU consumption via a Range header that expresses multiple overlapping ranges, exploit called "Apache Killer" This module requires...

TrendMicro Data Loss Prevention 5.5 Directory Traversal

This module tests whether a directory traversal vulnerability is present in Trend Micro DLP Data Loss Prevention Appliance v5.5 build 'TrendMicro Data Loss Prevention 5.5 Directory Traversal', 'Description' = %q This module tests whether a directory traversal vulnerability is present in Trend Mic...

eSignal and eSignal Pro File Parsing Buffer Overflow in QUO

The software is unable to handle the "" files even those original included in the program like those with the registered extensions QUO, SUM and POR. Successful exploitation of this vulnerability may take up to several seconds due to the use of egghunter. Also, DEP bypass is unlikely due to the...

HTTP Writable Path PUT/DELETE File Access

This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default. If filename isn't specified, the module will generate a random string for you as a .txt file. If DELETE is used, a filename is...

DaqFactory HMI NETB Request Overflow

This module exploits a stack buffer overflow in Azeotech's DaqFactory product. The specific vulnerability is triggered when sending a specially crafted 'NETB' request to port 20034. Exploitation of this vulnerability may take a few seconds due to the use of egghunter. This vulnerability was one o...

Java Meterpreter, Java Reverse HTTPS Stager

Run a meterpreter server in Java. Tunnel communication over HTTPS This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include Msf::Payload::Java...

RealNetworks Realplayer QCP Parsing Heap Overflow

This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute...

Measuresoft ScadaPro Remote Command Execution

This module allows remote attackers to execute arbitrary commands on the affected system by abusing via Directory Traversal attack when using the 'xf' command execute function. An attacker can execute system from msvcrt.dll to upload a backdoor and gain remote code execution. This vulnerability...

ScadaTEC ScadaPhone Stack Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in version 5.3.11.1230 of scadaTEC's ScadaPhone. In order for the command to be executed, an attacker must convince someone to load a specially crafted project zip file with ScadaPhone. By doing so, an attacker can execute arbitrary...

Windows Gather Run WMIC Commands

This module executes WMIC commands on the specified host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Run WMIC Commands', 'Description' = %q This module executes WMIC command...

Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow

This module exploits a vulnerability in the coreservice.exe component of Proycon Core Server "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow", 'Description' = %q This module exploits a vulnerability in the coreservice.exe component of Proycon Core Server MSF...