Linux Command Shell, Reverse TCP Stager

Spawn a command shell staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 130 include Msf::Payload::Stager include...

Linux Command Shell, Bind TCP Inline

Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 86 include Msf::Payload::Single include Msf::Payload::Linux::X64::Prepends include...

Linux Command Shell, Bind TCP Stager

Spawn a command shell staged. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 78 include Msf::Payload::Stager include Msf::Payload::Linux::X64::Prepends def...

Linux Mettle x64, Reverse TCP Stager

Inject the mettle server payload staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 130 include Msf::Payload::Stager include...

Linux Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 74 include Msf::Payload::Single include Msf::Payload::Linux::X64::Prepends includ...

Linux Execute Command

Execute an arbitrary command or just a /bin/sh shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 44 include Msf::Payload::Single include Msf::Payload::Linux::X64::Prepends def...

7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow

This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow...

ICONICS WebHMI ActiveX Buffer Overflow

This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control. By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll fails to do any proper bounds checking before this input is copied onto the stack, which causes a buffer overflow, and results...

SPlayer 3.7 Content-Type Buffer Overflow

This module exploits a vulnerability in SPlayer v3.7 or prior. When SPlayer requests the URL of a media file video or audio, it is possible to gain arbitrary remote code execution due to a buffer overflow caused by an exceeding length of data as the 'Content-Type' parameter. This module requires...

VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow

This module exploits an input validation error in libmodplugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable,...

MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free

This module exploits a memory corruption vulnerability within Microsoft's HTML engine mshtml. When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the...

OpenSSL DTLS ChangeCipherSpec Remote DoS

This module performs a Denial of Service Attack against Datagram TLS in OpenSSL version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a ChangeCipherspec Datagram before a ClientHello. This module requires Metasploit: https://metasploit.com/download Current source:...

UDP Service Sweeper

Detect interesting UDP services This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'openssl' class MetasploitModule 'UDP Service Sweeper', 'Description' = 'Detect interesting UDP services', 'Author' = 'hdm',...

MJM QuickPlayer 1.00 Beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow

This module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a and QuickPlayer 2010 Multi-target exploit. When opening a malicious s3m file in one of these 2 applications, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP &...

MJM Core Player 2011 .s3m Stack Buffer Overflow

This module exploits a stack buffer overflow in MJM Core Player 2011 When opening a malicious s3m file in this application, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. This module requires...

Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow

This module exploits a vulnerability found in Subtitle Processor 7. By supplying a long string of data as a .m3u file, Subtitle Processor first converts this input in Unicode, which expands the string size, and then attempts to copy it inline on the stack. This results a buffer overflow with SEH...

Multi Gather Pidgin Instant Messenger Credential Collection

This module will collect credentials from the Pidgin IM client if it is installed. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/document' class MetasploitModule 'Multi Gather Pidgin Instant Messenger...

eZip Wizard 3.0 Stack Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in version 3.0 of ediSys Corp.'s eZip Wizard. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with eZip Wizard, and access the specially file via double-clicking it. By...

Windows Gather Apple iOS MobileSync Backup File Collection

This module will collect sensitive files from any on-disk iOS device backups This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'English' class MetasploitModule 'Windows Gather Apple iOS MobileSync Backup File...

Pcap Replay Utility

Replay a pcap capture file This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Pcap Replay Utility', 'Description' = %q Replay a pcap capture file , 'Author' = 'amaloteaux', 'License' = MSFLICENSE...

Spreecommerce Arbitrary Command Execution

This module exploits an arbitrary command execution vulnerability in the Spreecommerce API searchlogic for versions 0.50.0 and earlier. Unvalidated input is called via the Ruby send method allowing command execution. This module requires Metasploit: https://metasploit.com/download Current source:...

Wireshark packet-dect.c Stack Buffer Overflow

This module exploits a stack buffer overflow in Wireshark 'Wireshark packet-dect.c Stack Buffer Overflow', 'Description' = %q This module exploits a stack buffer overflow in Wireshark MSFLICENSE, 'Author' = 'Paul Makowski', Initial discovery 'sickness', proof of concept 'corelanc0d3r ', rop explo...

Wireshark packet-dect.c Stack Buffer Overflow (local)

This module exploits a stack buffer overflow in Wireshark 'Wireshark packet-dect.c Stack Buffer Overflow local', 'Description' = %q This module exploits a stack buffer overflow in Wireshark MSFLICENSE, 'Author' = 'Paul Makowski', Initial discovery 'sickness', proof of concept 'corelanc0d3r ', rop...

Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability

This module exploits a vulnerability in Adobe Flash Player that was discovered, and has been exploited actively in the wild. By embedding a specially crafted .swf file, Adobe Flash crashes due to an invalid use of an object type, which allows attackers to overwrite a pointer in memory, and result...

VeryTools Video Spirit Pro

This module exploits a stack buffer overflow in Video Spirit 'VeryTools Video Spirit Pro', 'Description' = %q This module exploits a stack buffer overflow in Video Spirit MSFLICENSE, 'Author' = 'Acidgen', found the vulnerability 'corelanc0d3r ', rop exploit + msf module , 'References' = 'CVE',...

ISC DHCP Zero Length ClientID Denial of Service Module

This module performs a Denial of Service Attack against the ISC DHCP server, versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request message with a 0-length clientid option for an IP address on the appropriate range for the dhcp server. When ISC DHCP Server tries to hash...

ContentKeeper Web Appliance mimencode File Access

This module abuses the 'mimencode' binary present within ContentKeeper Web filtering appliances to retrieve arbitrary files outside of the webroot. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModul...

AOL Desktop 9.6 RTX Buffer Overflow

This module exploits a vulnerability found in AOL Desktop 9.6's Tool\rich.rct component. By supplying a long string of data in the hyperlink tag, rich.rct copies this data into a buffer using a strcpy function, which causes an overflow, and results arbitrary code execution. This module requires...

ManageEngine Applications Manager Authenticated Code Execution

This module logs into the Manage Engine Applications Manager to upload a payload to the file system and a batch script that executes the payload. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution

This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The "exec" function found in InstallerDlg.dll v2.6.0.445 allows remote attackers to run arbitrary commands on the victim machine. This module requires Metasploit: https://metasploit.com/download Current source:...

HP Data Protector Manager RDS DOS

This module causes a remote DOS on HP Data Protector's RDS service. By sending a malformed packet to port 1530, rm32.dll causes RDS to crash due to an enormous size for malloc. This module requires Metasploit: https://metasploit.com/download Current source:...

SonicWALL SSL-VPN Format String Vulnerability

There is a format string vulnerability within the SonicWALL SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory can be read or written to, depending on the format string used. There appears to be a length limit of 127 characters of format string data. With physical access to the devic...

Zend Server Java Bridge Arbitrary Java Code Execution

This module takes advantage of a trust relationship issue within the Zend Server Java Bridge. The Java Bridge is responsible for handling interactions between PHP and Java code within Zend Server. When Java code is encountered Zend Server communicates with the Java Bridge. The Java Bridge then...

IBM Lotus Domino iCalendar MAILTO Buffer Overflow

This module exploits a vulnerability found in IBM Lotus Domino iCalendar. By sending a long string of data as the "ORGANIZER;mailto" header, process "nRouter.exe" crashes due to a Cstrcpy routine in nnotes.dll, which allows remote attackers to gain arbitrary code execution. Note: In order to...

Windows Gather Enumerate Domain Group

This module extracts user accounts from the specified domain group and stores the results in the loot. It will also verify if session account is in the group. Data is stored in loot in a format that is compatible with the tokenhunter plugin. This module must be run on a session running as a domai...

Zend Server Java Bridge Design Flaw Remote Code Execution

This module abuses a flaw in the Zend Java Bridge Component of the Zend Server Framework. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. NOTE: This module has only been tested with the Win32 build of the software. This module requires Metasploit:...

Solar FTP Server Malformed USER Denial of Service

This module will send a format string as USER to Solar FTP, causing a READ violation in function "output1" found in "sfsservice.exe" while trying to calculate the length of the string. This vulnerability affects versions 2.1.1 and earlier. This module requires Metasploit:...

Oracle iSQL*Plus Login Utility

This module attempts to authenticate against an Oracle ISQLPlus administration web site using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE. This module does not require a valid SID, but if one is defined, it will be used. Works against Oracle 9.2, 10.1 ...

Oracle iSQLPlus SID Check

This module attempts to bruteforce the SID on the Oracle application server iSQLPlus login pages. It does this by testing Oracle error responses returned in the HTTP response. Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error. Works against Oracle 9.2, 10.1 & 10.2...

Windows Manage Inject in Memory Multiple Payloads

This module will inject in to several processes a given payload and connecting to a given list of IP Addresses. The module works with a given lists of IP Addresses and process PIDs if no PID is given it will start a the given process in the advanced options and inject the selected payload in to t...

VLC AMV Dangling Pointer Vulnerability

This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st byte in the file format video width/height, VLC crashes due to an invalid pointer, which allows remote attackers to gain arbitrary code execution. The vulnerable packages include: VLC 1.1.4, VLC 1.1.5, VLC...

HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow

This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted Hostname parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow

This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow

This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow

This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs, the overflow occurs during a ov.sprintfnew call, which allows an attacker to overwrite data on the stack, and gain arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

PostgreSQL for Microsoft Windows Payload Execution

On default Microsoft Windows installations of PostgreSQL the postgres service account may write to the current directory which is usually "C:\Program Files\PostgreSQL\\data" where is the major.minor version of PostgreSQL. UDF DLL's may be sourced from there as well. This module uploads a Windows...

Xerox WorkCentre User Enumeration (SNMP)

This module will do user enumeration based on the Xerox WorkCentre present on the network. SNMP is used to extract the usernames. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Xerox WorkCentr...

HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM01203. By making a specially crafted HTTP request to the "snmpviewer.exe" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within ...

HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is...

HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is...