HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is...

HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is...

HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is withi...

Adobe Flash Player AVM Bytecode Verification Vulnerability

This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JITJust-In-Time code being executed. This is the same vulnerability that was used for the RSA attack ...

HP OpenView NNM nnmRptConfig nameParams Buffer Overflow

This module exploits a vulnerability in HP NNM's nnmRptConfig.exe. A remote user can send a long string data to the nameParams parameter via a POST request, which causes an overflow on the stack when function ov.sprintfnew is used, and gain arbitrary code execution.' This module requires...

HP OpenView Network Node Manager execvp_nc Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM01207 or NNM01206 without the SSRT100025 hotfix. By specifying a long 'sel' parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow...

HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow a stack buffer and execute arbitrary code. The vulnerable code is within the OvWwwDebug function. The static-sized stack...

Multi Gather Run Console Resource File

This module will read console commands from a resource file and execute the commands in the specified Meterpreter session. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather Run Conso...

Multi Gather Run Shell Command Resource File

This module will read shell commands from a resource file and execute the commands in the specified Meterpreter or shell session. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather Ru...

Linux Add User

Create a new user with UID 0 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework AddUser ------- Adds a UID 0 user to /etc/passwd. module MetasploitModule CachedSize = 119 include Msf::Payload::Single include...

Windows Gather USB Drive History

This module will enumerate USB Drive history on a target host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather USB Drive History', 'Description' = %q This module will enumerate U...

Windows Gather Dump Recent Files lnk Info

The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script. This module will parse .lnk files from a user's Recent Documents folder and Microsoft Office's Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk...

Windows Gather ARP Scanner

This Module will perform an ARP scan for a given IP range through a Meterpreter Session. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather ARP Scanner', 'Description' = %q This...

RealNetworks RealPlayer CDDA URI Initialization Vulnerability

This module exploits an initialization flaw within RealPlayer 11/11.1 and RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object initialization failure. However, this failure is improperly handled and uninitialized memory executed. This module requires Metasploit:...

Sun Java Applet2ClassLoader Remote Code Execution

This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A "codebase" parameter that points at a trusted directory 2. A "code" parameter that is a URL that does not contain any...

HP OpenView Performance Insight Server Backdoor Account Code Execution

This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java class. When using this account, an attacker can abuse the com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system allowing the execution of arbitrary code. NOTE: This module has only...

Oracle RDBMS Login Utility

This module attempts to authenticate against an Oracle RDBMS instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. Due to a bug in nmap versions 6.50-7.80 may not work. This module requires Metasploit: https://metasploit.com/download...

Foxit PDF Reader 4.2 Javascript File Write

This module exploits an unsafe Javascript API implemented in Foxit PDF Reader version 4.2. The createDataObject Javascript API function allows for writing arbitrary files to the file system. This issue was fixed in version 4.3.1.0218. Note: This exploit uses the All Users directory currently, whi...

Kolibri HTTP Server HEAD Buffer Overflow

This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule /kolibri-2.0/ include Msf::Exploit::Remote::HttpClient include...

Majordomo2 _list_file_get() Directory Traversal

This module exploits a directory traversal vulnerability present in the listfileget function of Majordomo2 help function. By default, this module will attempt to download the Majordomo config.pl file. This module requires Metasploit: https://metasploit.com/download Current source:...

Accellion FTA MPIPE2 Command Execution

This module exploits a chain of vulnerabilities in the Accellion File Transfer appliance. This appliance exposes a UDP service on port 8812 that acts as a gateway to the internal communication bus. This service uses Blowfish encryption for authentication, but the appliance ships with two easy to...

Oracle TNS Listener SID Bruteforce

This module queries the TNS listener for a valid Oracle database instance name also known as a SID. Any response other than a "reject" will be considered a success. If a specific SID is provided, that SID will be attempted. Otherwise, SIDs read from the named file will be attempted in sequence...

Novell iPrint Client ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in Novell iPrint Client 5.52. When sending an overly long string to the GetDriverSettings property of ienipp.ocx an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source:...

Citrix Access Gateway Command Execution

The Citrix Access Gateway provides support for multiple authentication types. When utilizing the external legacy NTLM authentication module known as ntlmauthenticator the Access Gateway spawns the Samba 'samedit' command line utility to verify a user's identity and password. By embedding shell...

NetSupport Manager Agent Remote Buffer Overflow

This module exploits a buffer overflow in NetSupport Manager Agent. It uses a similar ROP to the proftpdiac exploit in order to avoid non executable stack. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

SAP Management Console Brute Force

This module simply attempts to brute force the username and password for the SAP Management Console SOAP Interface. If the SAPSID value is set it will replace instances of in any user/pass from any wordlist. This module requires Metasploit: https://metasploit.com/download Current source:...

Wireshark CLDAP Dissector DOS

This module causes infinite recursion to occur within the CLDAP dissector by sending a specially crafted UDP packet. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Wireshark CLDAP Dissector...

SAP Management Console List Logfiles

This module simply attempts to output a list of available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SA...

SAP Management Console ABAP Syslog Disclosure

This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console ABAP Syslog...

SAP Management Console getEnvironment

This module simply attempts to identify SAP Environment settings through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console...

SAP Management Console Extract Users

This module simply attempts to extract SAP users from the ABAP Syslog through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console...

SAP Management Console Version Detection

This module simply attempts to identify the version of SAP through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console Version...

SAP Management Console Instance Properties

This module simply attempts to identify the instance properties through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console Instanc...

SAP Management Console getStartProfile

This module simply attempts to access the SAP startup profile through the SAP Management Console SOAP Interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Management Console...

SAP Service Discovery

Scans for listening SAP services. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP Service Discovery', 'Description' = %q Scans for listening SAP services. , 'References' = General 'URL',...

SAP Management Console Get Logfile

This module simply attempts to download available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. Please use the sapmgmtconlistlogfiles extension to view a list of available files. This module requires Metasploit: https://metasploit.com/download Current source...

Windows Escalate Locked Desktop Unlocker

This module unlocks a locked Windows desktop by patching the respective code inside the LSASS.exe process. This patching process can result in the target system hanging or even rebooting, so be careful when using this module on production systems. This module requires Metasploit:...

Windows Capture Keystroke Recorder

This module can be used to capture keystrokes. To capture keystrokes when the session is running as SYSTEM, the MIGRATE option must be enabled and the CAPTURETYPE option should be set to one of Explorer, Winlogon, or a specific PID. To capture the keystrokes of the interactive user, the Explorer...

Mozilla Firefox Interleaved document.write/appendChild Memory Corruption

This module exploits a code execution vulnerability in Mozilla Firefox caused by interleaved calls to document.write and appendChild. This module was written based on a live exploit found in the wild. This module requires Metasploit: https://metasploit.com/download Current source:...

MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow

This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to...

VideoLAN VLC MKV Memory Corruption

This module exploits an input validation error in VideoLAN VLC 'VideoLAN VLC MKV Memory Corruption', 'Description' = %q This module exploits an input validation error in VideoLAN VLC MSFLICENSE, 'Author' = 'Dan Rosenberg' , 'References' = 'OSVDB', '70698' , 'CVE', '2011-0531' , 'BID', '46060' ,...

Microsoft SQL Server Payload Execution via SQL Injection

This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xpcmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection...

Windows Manage Local User Account Deletion

This module deletes a local user account from the specified server, or the local machine if no server is given. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Manage Local User Account...

Apache Tomcat Transfer-Encoding Information Disclosure and DoS

Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service application outage or obtain sensitive information via a crafted header that interferes with "recycling...

SMB Domain User Enumeration

Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SMB Domain User Enumeration', 'Description' =...

MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection

A heap-based buffer overflow can occur when calling the undocumented "spreplwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine MSDE without the updates supplied in MS09-00...

Windows Gather Local User Account SID Lookup

This module prints information about a given SID from the perspective of this session. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Local User Account SID Lookup', 'Descriptio...

Apache HTTPD mod_negotiation Scanner

This module scans the webserver of the given hosts for the existence of modnegotiate. If the webserver has modnegotiation enabled, the IP address will be displayed. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...

Apache HTTPD mod_negotiation Filename Bruter

This module performs a brute force attack in order to discover existing files on a server which uses modnegotiation. If the filename is found, the IP address and the files found will be displayed. This module requires Metasploit: https://metasploit.com/download Current source:...

Android Content Provider File Disclosure

This module exploits a cross-domain issue within the Android web browser to exfiltrate files from a vulnerable device. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Content Provider...