Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow

This module exploits a vulnerability in the Smart INdependent Glyplets SING table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are assumed to be vulnerable as well. This module requires Metasploit: https://metasploit.com/download Current source:...

Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow

This module exploits a vulnerability in the Smart INdependent Glyplets SING table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are assumed to be vulnerable as well. This module requires Metasploit: https://metasploit.com/download Current source:...

Java RMIConnectionImpl Deserialization Privilege Escalation

This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. This module requires Metasploit:...

Apple Airport Extreme Password Extraction (WDBRPC)

This module can be used to read the stored password of a vulnerable Apple Airport Extreme access point. Only a small number of firmware versions have the WDBRPC service running, however the factory configuration was vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are...

D-Link i2eye Video Conference AutoAnswer (WDBRPC)

This module can be used to enable auto-answer mode for the D-Link i2eye video conferencing system. Once this setting has been flipped, the device will accept incoming video calls without acknowledgement. The NetMeeting software included in Windows XP can be used to connect to this device. The i2e...

ColdFusion Server Check

This module attempts to exploit the directory traversal in the 'locale' attribute. According to the advisory the following versions are vulnerable: ColdFusion MX6 6.1 base patches, ColdFusion MX7 7,0,0,91690 base patches, ColdFusion MX8 8,0,1,195765 base patches, ColdFusion MX8 8,0,1,195765 with...

Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit...

Linux Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 172 include Msf::Payload::Single include Msf::Payload::Linux::Armle::Prepends...

Linux Execute Command

Execute an arbitrary command This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Exec ---- Executes an arbitrary command. module MetasploitModule CachedSize = 29 include Msf::Payload::Single include...

Tomcat UTF-8 Directory Traversal Vulnerability

This module tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the...

Adobe PDF Escape EXE Social Engineering (No JavaScript)

This module embeds a Metasploit payload into an existing PDF file in a non-standard method. The resulting PDF can be sent to a target as part of a social engineering attack. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Execute net user /ADD CMD

Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars 1 UPPER, 1 lower, 1 digit/special This...

Windows Executable Download and Execute (via .vbs)

Download an EXE from an HTTPS URL and execute it This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include Msf::Sessions::CommandShellOptions de...

WebDAV Application DLL Hijacker

This module presents a directory of file extensions that can lead to code execution when opened from the share. The default EXTENSIONS option must be configured to specify a vulnerable application type. This module requires Metasploit: https://metasploit.com/download Current source:...

Java Statement.invoke() Trusted Method Chain Privilege Escalation

This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. This module requires Metasploit: https://metasploit.com/download Current source...

Command Shell, Java Bind TCP Stager

Spawn a piped command shell cmd.exe on Windows, /bin/sh everywhere else. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 5256 include Msf::Payload::Stager...

Java Meterpreter, Java Bind TCP Stager

Run a meterpreter server in Java. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 5256 include Msf::Payload::Stager include Msf::Payload::Java include...

SonicWALL Aventail epi.dll AuthCredential Format String

This module exploits a format string vulnerability within version 10.0.4.x and 10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX control epi.dll. By calling the 'AuthCredential' method with a specially crafted Unicode format string, an attacker can cause memory...

Authentication Capture: SMTP

This module provides a fake SMTP service that is designed to capture authentication credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Authentication Capture: SMTP', 'Description' = %...

Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow

This module exploits a buffer overflow in Apple QuickTime 7.6.6. When processing a malformed SMIL uri, a stack-based buffer overflow can occur when logging an error message. This module requires Metasploit: https://metasploit.com/download Current source:...

Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS

This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows prior to the August 2010 Patch Tuesday. To trigger this bug, you must be able to access a share with at least read privileges. That generally means you will need authentication. However, if a...

WM Downloader 3.1.2.2 Buffer Overflow

This module exploits a buffer overflow in WM Downloader v3.1.2.2. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

DHCP Server

This module provides a DHCP service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DHCP Server', 'Description' = %q This module provides a DHCP service , 'Author' = 'scriptjunkie',...

Microsoft Windows Shell LNK Code Execution

This module exploits a vulnerability in the handling of Windows Shortcut files .LNK that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path. This module requires Metasploit:...

Amlibweb NetOpacs webquery.dll Stack Buffer Overflow

This module exploits a stack buffer overflow in Amlib's Amlibweb Library Management System NetOpacs. The webquery.dll API is available through IIS requests. By specifying an overly long string to the 'app' parameter, SeH can be reliably overwritten allowing for arbitrary remote code execution. In...

VxWorks WDB Agent Boot Parameter Scanner

Scan for exposed VxWorks wdbrpc daemons and dump the boot parameters from memory This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VxWorks WDB Agent Boot Parameter Scanner', 'Description' = 'Scan...

VxWorks WDB Agent Remote Memory Dump

This module provides the ability to dump the system memory of a VxWorks target through WDBRPC This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VxWorks WDB Agent Remote Memory Dump', 'Description...

VxWorks WDB Agent Remote Reboot

This module provides the ability to reboot a VxWorks target through WDBRPC This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VxWorks WDB Agent Remote Reboot', 'Description' = %q This module...

VxWorks WDB Agent Version Scanner

Scan for exposed VxWorks wdbrpc daemons This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VxWorks WDB Agent Version Scanner', 'Description' = 'Scan for exposed VxWorks wdbrpc daemons', 'Author' =...

EasyFTP Server MKD Command Stack Buffer Overflow

This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which leads to a stack based buffer overflow. NOTE: EasyFTP allows anonymous access by default. However, in order to access the 'MKD' command,...

EasyFTP Server list.html path Stack Buffer Overflow

This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing the 'path' parameter supplied to an HTTP GET request, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentia...

Hyleos ChemView ActiveX Control Stack Buffer Overflow

This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos ChemView HyleosChemView.ocx. By calling the 'SaveAsMolFile' or 'ReadMolFile' methods with an overly long first argument, an attacker can overrun a buffer and execute arbitrary code. This module requires Metasploit...

EasyFTP Server LIST Command Stack Buffer Overflow

This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11. credit goes to Karn Ganeshan. NOTE: Although, this is likely to exploit the same vulnerability as the 'easyftpcwdfixret' exploit, it uses a slightly different vector. This module requires Metasploit:...

MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)

This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This modul...

MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow

This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022. This module requires Metasploit: https://metasploit.com/download Current...

MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)

This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This modul...

MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow

This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue. This module requires Metasploit:...

Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)

This module exploits a buffer overflow vulnerability in the LoadAniIcon function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was...

Outlook ATTACH_BY_REF_RESOLVE File Execution

It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double...

Outlook ATTACH_BY_REF_ONLY File Execution

It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double...

SMTP User Enumeration Utility

The SMTP service has two internal commands that allow the enumeration of users: VRFY confirming the names of valid users and EXPN which reveals the actual address of users aliases and lists of e-mail mailing lists. Through the implementation of these SMTP commands can reveal a list of valid users...

Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability

This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in propertybox.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 Win32. This module requires Metasploit:...

Command Shell, Java Reverse TCP Stager

Spawn a piped command shell cmd.exe on Windows, /bin/sh everywhere else. Connect back stager This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 5256 include Msf::Payload::Stager inclu...

Java Meterpreter, Java Reverse TCP Stager

Run a meterpreter server in Java. Connect back stager This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 5256 include Msf::Payload::Stager include Msf::Payload::Java include...

PHP Meterpreter, Bind TCP Stager

Run a meterpreter server in PHP. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 1338 include Msf::Payload::Stager include Msf::Payload::Php::BindTcp def...

Samba chain_reply Memory Corruption (Linux x86)

This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can...

Microsoft Help Center XSS and Command Execution

Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of input to hcp:// combined with a...

TCP Port Scanner

Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting. This module requires Metasploit: https://metasploit.com/download Current source:...

Forge Cisco DTP Packets

This module forges DTP packets to initialize a trunk port. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Forge Cisco DTP Packets', 'Description' = %q This module forges DTP packets to...

Apache Tomcat User Enumeration

This module enumerates Apache Tomcat's usernames via malformed requests to jsecuritycheck, which can be found in the web administration package. It should work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18. Newer versions no longer have the "admin" package by default...