Windows Gather Process Memory Grep

This module allows for searching the memory space of a process for potentially sensitive data. Please note: When the HEAP option is enabled, the module will have to migrate to the process you are grepping, and will not migrate back automatically. This means that if the user terminates the...

Java Meterpreter, Java Reverse HTTP Stager

Run a meterpreter server in Java. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include Msf::Payload::Java...

Iconics GENESIS32 Integer Overflow Version 9.21.201.01

The GenBroker service on port 38080 is affected by three integer overflow vulnerabilities while handling opcode 0x4b0, which is caused by abusing the the memory allocations needed for the number of elements passed by the client. This results unexpected behaviors such as direct registry calls,...

HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code. Please note that this module only works against a specific build i.e. NNM...

HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution

This module will execute an arbitrary payload on a Microsoft IIS installation that is vulnerable to the CGI double-decode vulnerability of 2001. This module has been tested successfully on: Windows 2000 Professional SP0 EN; Windows 2000 Professional SP1 AR; Windows 2000 Professional SP1 CZ; Windo...

Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability

This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x HttpClients::FF, :uaminver = "3.5", :uamaxver = "3.6.16", :osname = OperatingSystems::Match::WINDOWS, :javascript = true, :rank = NormalRanking, :vulntest = "if navigator.userAgent.indexOf'Windows NT 5.1' != -1 ||...

Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow

This module exploits a stack buffer overflow in process bcaaa-130.exe port 16102, which comes as part of the Blue Coat Authentication proxy. Please note that by default, this exploit will attempt up to three times in order to successfully gain remote code execution in some cases, it takes as many...

2Wire Cross-Site Request Forgery Password Reset Vulnerability

This module will reset the admin password on a 2Wire wireless router. This is done by using the /xslt page where authentication is not required, thus allowing configuration changes such as resetting the password as administrators. This module requires Metasploit: https://metasploit.com/download...

Kaillera 0.86 Server Denial of Service

The Kaillera 0.86 server can be shut down by sending any malformed packet after the initial "hello" packet. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Kaillera 0.86 Server Denial of Servic...

OS X Gather Mac OS X System Information Enumeration

This module gathers basic system information from Mac OS X Tiger 10.4, through Mojave 10.14. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OS X Gather Mac OS X System Information Enumeration'...

MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow

This module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based buffer overflow occurs when the content of a .mppl file gets copied onto the stack, which overwrites the lpFileName parameter of a CreateFileA function, and results arbitrary code execution under the context of the use...

VSFTPD v2.3.4 Backdoor Command Execution

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011. This...

HP OmniInet.exe Opcode 20 Buffer Overflow

This module exploits a vulnerability found in HP Data Protector's OmniInet process. By supplying a long string of data as the file path with opcode '20', a buffer overflow can occur when this data is being written on the stack where no proper bounds checking is done beforehand, which results...

HP OmniInet.exe Opcode 27 Buffer Overflow

This module exploits a buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted opcode 27 packet, a remote attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Custom Payload

Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include...

VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)

Inject a VNC Dll via a reflective loader staged. Tunnel communication over HTTP Windows wininet This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 444 include Msf::Payload::Stager...

Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)

Inject a DLL via a reflective loader. Tunnel communication over HTTP Windows wininet This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 444 include Msf::Payload::Stager include...

Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over HTTP Windows wininet This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework modul...

Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow

This module exploits a stack buffer overflow in Citrix Provisioning Services 5.6. By sending a specially crafted packet to the Provisioning Services server, a fixed length buffer on the stack can be overflowed and arbitrary code can be executed. This module requires Metasploit:...

Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS

This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll as distributed with Windows Vista and later without KB2509553. By sending a specially crafted LLMNR query, containing a leading '.' character, an attacker can trigger stack exhaustion or potentially cause stack memory...

Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability

This module exploits a stack based overflow vulnerability in the handling of the DXF files by Microsoft Visio 2002. Revisions prior to the release of the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application is used to import a specially crafted DXF file, while parsing the...

Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow

This module exploits a vulnerability found on Siemens FactoryLink 8. The vulnerability occurs when CSService.exe processes a CSMSGListFilesREQ message, the user-supplied path first gets converted to ANSI format CodePage 0, and then gets handled by a logging routine where proper bounds checking is...

Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)

This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)

This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when parsing a malformed, specially crafted LZH file. This vulnerability was discovered binaryhouse.net This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

RealWin SCADA Server DATAC Login Buffer Overflow

This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.1 Build 6.0.10.10 or earlier. By sending a specially crafted OnFCCONNECTFCSLOGIN packet containing a long username, an attacker may be able to execute arbitrary code. This module requires Metasploit...

Sielco Sistemi Winlog Buffer Overflow

This module exploits a buffer overflow in Sielco Sistem Winlog 'Sielco Sistemi Winlog Buffer Overflow', 'Description' = %q This module exploits a buffer overflow in Sielco Sistem Winlog 'Luigi Auriemma', 'MC' , 'License' = MSFLICENSE, 'References' = 'CVE', '2011-0517' , 'OSVDB', '70418', 'URL',...

Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow

This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2, and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to execute arbitrary code due to the improper use of a vsprintf function while processing the user-supplied text field. Originally found and post...

Windows Gather Bitcoin Wallet

This module downloads any Bitcoin wallet files from the target system. It currently supports both the classic Satoshi wallet and the more recent Armory wallets. Note that Satoshi wallets tend to be unencrypted by default, while Armory wallets tend to be encrypted by default. This module requires...

Black Ice Cover Page ActiveX Control Arbitrary File Download

This module allows remote attackers to place arbitrary files on a users file system by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX Control BIImgFrm.ocx 12.0.0.0. Code execution can be achieved by first uploading the payload to the remote machine, and then uploa...

Windows Manage Enable Remote Desktop

This module enables the Remote Desktop Service RDP. It provides the options to create an account and configure it to be a member of the Local Administrators and Remote Desktop Users group. It can also forward the target's port 3389/tcp. This module requires Metasploit:...

DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow

This module exploits a vulnerability found in DATAC Control International RealWin SCADA Server 2.1 and below. By supplying a specially crafted OnFCBINFILEFCSFILE packet via port 910, RealWin will try to create a file which would be saved to C:\Program Files\DATAC\Real Win\RW-version\filename by...

MS11-050 IE mshtml!CObjectElement Use After Free

This module exploits a use-after-free vulnerability in Internet Explorer. The vulnerability occurs when an invalid tag exists and other elements overlap/cover where the object tag should be when rendered due to their styles/positioning. The mshtml!CObjectElement is then freed from memory because ...

Solaris Gather Virtual Environment Detection

This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Solaris Zone, VMWare, VirtualBox, Xen, and QEMU/KVM. This module requires Metasploit: https://metasploit.com/download Current source:...

IBM Tivoli Endpoint Manager POST Query Buffer Overflow

This module exploits a stack based buffer overflow in the way IBM Tivoli Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query arguments. This issue can be triggered by sending a specially crafted HTTP POST request to the service lcfd.exe listening on TCP port 9495. To trigge...

Windows Executable Download and Evaluate VBS

Downloads a file from an HTTPS URL and executes it as a vbs script. Use it to stage a vbs encoded payload from a short command line. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize =...

Linux Gather Dump Password Hashes for Linux Systems

Post Module to dump the password hashes for all users on a Linux System This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linux Gather Dump Password Hashes for Linux Systems', 'Description' = %q...

Solaris Gather Configured Services

Post module to enumerate services on a Solaris System This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris Gather Configured Services', 'Description' = %q Post module to enumerate services o...

Solaris Gather Installed Packages

Post module to enumerate installed packages on a Solaris System This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris Gather Installed Packages', 'Description' = %q Post module to enumerate...

Solaris Gather Dump Password Hashes for Solaris Systems

Post module to dump the password hashes for all users on a Solaris System This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris Gather Dump Password Hashes for Solaris Systems', 'Description'...

7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow

This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying a long string of data to the 'Rename' 0x02, 'Delete' 0x03, or 'Add' 0x04 command, a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report, which results arbitrary code execution under th...

Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute

This module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the 'url' property which is where the control tries to locate the files needed to install the client. The control tries...

GoldenFTP PASS Stack Buffer Overflow

This module exploits a vulnerability in the Golden FTP service, using the PASS command to cause a buffer overflow. Please note that in order trigger the vulnerable code, the victim machine must have the "Show new connections" setting enabled. By default, this option is unchecked. This module...

7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities

This module exploits multiple vulnerabilities found on IGSS 9's Data Server and Data Collector services. The initial approach is first by transferring our binary with Write packets opcode 0x0D via port 12401 igssdataserver.exe, and then send an EXE packet opcode 0x0A to port 12397 dc.exe, which...

Windows LoadLibrary Path

Load an arbitrary library path This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Executes a command on the target machine module MetasploitModule CachedSize = 202 include Msf::Payload::Windows::LoadLibrary end...

Rosewill RXS-3211 IP Camera Password Retriever

This module takes advantage of a protocol design issue with the Rosewill admin executable in order to retrieve passwords, allowing remote attackers to take administrative control over the device. Other similar IP Cameras such as Edimax, Hawking, Zonet, etc, are also believed to have the same flaw...

AWStats Totals multisort Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

VisiWave VWR File Parsing Vulnerability

This module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type' property valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image', but if...

Magix Musik Maker 16 .mmm Stack Buffer Overflow

This module exploits a stack buffer overflow in Magix Musik Maker 16. When opening a specially crafted arrangement file .mmm in the application, an unsafe strcpy will allow you to overwrite a SEH handler. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and...

Linux Mettle x64, Bind TCP Stager

Inject the mettle server payload staged. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 78 include Msf::Payload::Stager include...