6841 matches found
Coppermine Photo Gallery picEditor.php Command Execution
This module exploits a vulnerability in the picEditor.php script of Coppermine Photo Gallery versions 1.4.14 and earlier. When configured to use the ImageMagick library, the 'quality', 'angle', and 'clipval' parameters are not properly escaped before being passed to the PHP 'exec' command. In ord...
Qbik WinGate WWW Proxy Server URL Processing Overflow
This module exploits a stack buffer overflow in Qbik WinGate version 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the HTTP proxy service on port 80, a remote attacker could overflow a buffer and execute arbitrary code. This module requires Metasploit:...
Worldweaver DX Studio Player shell.execute() Command Execution
This module exploits a command execution vulnerability within the DX Studio Player from Worldweaver for versions 3.0.29 and earlier. The player is a browser plugin for IE ActiveX and Firefox dll. When an unsuspecting user visits a web page referring to a specially crafted .dxstudio document, an...
LPRng use_syslog Remote Format String Vulnerability
This module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as "7.0-respin". Th...
Samba "username map script" Command Execution
This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed...
HPLIP hpssd.py From Address Arbitrary Command Execution
This module exploits a command execution vulnerable in the hpssd.py daemon of the Hewlett-Packard Linux Imaging and Printing Project. According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable. This module was written and tested using the Fedora 6 Linux distribution. On the test system...
RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution
This module abuses two flaws - a metacharacter injection vulnerability in the HTTP management server of RedHat 6.2 systems running the Piranha LVS cluster service and GUI rpm packages: piranha and piranha-gui. The vulnerability allows an authenticated attacker to execute arbitrary commands as the...
Sambar 6 Search Results Buffer Overflow
This module exploits a buffer overflow found in the /search/results.stm application that comes with Sambar 6. This code is a direct port of Andrew Griffiths's SMUDGE exploit, the only changes made were to the nops and payload. This exploit causes the service to die, whether you provided the corre...
Computer Associates License Server GETCONFIG Overflow
This module exploits an vulnerability in the CA License Server network service. By sending an excessively long GETCONFIG packet the stack may be overwritten. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Computer Associates License Client GETCONFIG Overflow
This module exploits a vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this...
VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
This module exploits a stack-based buffer overflow in the Win32AddConnection function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are reportedly affected. This vulnerability is only present in Win32 builds of VLC. This payload was found to work with the windows/exec and...
MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability
This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER Shared Feature record, Microsoft used a data structure from the file to...
RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in RKD Software Barcode Application ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code. This module requires Metasploit:...
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissectgetaddrsbynamerequest function. Several...
MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption
This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods...
PeaZip Zip Processing Command Injection
This module exploits a command injection vulnerability in PeaZip. All versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with version 2.6.1 on Windows. In order for the command to be executed, an attacker must convince someone to open a specially crafted zip file with PeaZip,...
SMB User Enumeration (SAM EnumUsers)
Determine what users exist via the SAM RPC service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SMB User Enumeration SAM EnumUsers', 'Description' = 'Determine what users exist via the SAM R...
PostgreSQL Server Generic Query
This module imports a file local on the PostgreSQL Server into a temporary table, reads it, and then drops the temporary table. It requires PostgreSQL credentials with table CREATE privileges as well as read privileges to the target file. This module requires Metasploit:...
Microsoft IIS WebDAV Write Access Code Execution
This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request. The target IIS machine must meet these conditions to be considered as exploitable: It allows 'Script resource access', Read and Wri...
AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
This module exploits a buffer overflow vulnerability in opcode 21 handled by rpc.cmsd on AIX. By making a request with a long string passed to the first argument of the "rtablecreate" RPC, a stack based buffer overflow occurs. This leads to arbitrary code execution. NOTE: Unsuccessful attempts ma...
AIX execve Shell for inetd
Simply execve /bin/sh for inetd programs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 56 include Msf::Payload::Single include Msf::Payload::Aix include...
Vermillion FTP Daemon PORT Command Memory Corruption
This module exploits an out-of-bounds array access in the Arcane Software Vermillion FTP server. By sending a specially crafted FTP PORT command, an attacker can corrupt stack memory and execute arbitrary code. This particular issue is caused by processing data bound by attacker controlled input...
Samba Symlink Directory Traversal
This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem. This module requires Metasploit: https://metasploit.com/download Current source:...
AstonSoft DeepBurner (DBR File) Path Buffer Overflow
This module exploits a stack-based buffer overflow in versions 1.9.0.228, 1.8.0, and possibly other versions of AstonSoft's DeepBurner Pro, Lite, etc. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an...
Juniper JunOS Malformed TCP Option
This module exploits a denial of service vulnerability in Juniper Network's JunOS router operating system. By sending a TCP packet with TCP option 101 set, an attacker can cause an affected router to reboot. This module requires Metasploit: https://metasploit.com/download Current source:...
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissectgetaddrsbynamerequest function. Several...
PostgreSQL Server Generic Query
This module will allow for simple SQL statements to be executed against a PostgreSQL instance given the appropriate credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PostgreSQL Serve...
Novell iPrint Client ActiveX Control Date/Time Buffer Overflow
This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing a specially crafted date/time string via certain parameters to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this...
HTTP trace.axd Content Scanner
Detect trace.axd files and analyze its content This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP trace.axd Content Scanner', 'Description' = 'Detect trace.axd files and analyze its content',...
HTTP SSL Certificate Information
Parse the server SSL certificate to obtain the common name and signature algorithm...
HTTP Directory Listing Scanner
This module identifies directory listing vulnerabilities in a given directory path. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Directory Listing Scanner', 'Description' = %q This modu...
HTTP SOAP Verb/Noun Brute Force Scanner
This module attempts to brute force SOAP/XML requests to uncover hidden methods. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP SOAP Verb/Noun Brute Force Scanner', 'Description' = %q Thi...
HTTP Directory Brute Force Scanner
This module identifies the existence of interesting directories by brute forcing the name in a given directory path. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'enumerable' class MetasploitModule 'HTTP...
HTTP WebDAV Scanner
Detect webservers with WebDAV enabled This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP WebDAV Scanner', 'Description' = 'Detect webservers with WebDAV enabled', 'Author' = 'et', 'License' =...
HTTP Copy File Scanner
This module identifies the existence of possible copies of a specific file in a given path. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Copy File Scanner', 'Description' = %q This modu...
HTTP WebDAV Internal IP Scanner
Detect webservers internal IPs though WebDAV This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP WebDAV Internal IP Scanner', 'Description' = 'Detect webservers internal IPs though WebDAV',...
HTTP Subversion Scanner
Detect subversion directories and files and analyze its content. Only SVN Version 7 supported This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Subversion Scanner', 'Description' = 'Detect...
HTTP WebDAV Website Content Scanner
Detect webservers disclosing its content though WebDAV This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP WebDAV Website Content Scanner', 'Description' = 'Detect webservers disclosing its...
HTTP Directory Scanner
This module identifies the existence of interesting directories in a given directory path. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'thread' class MetasploitModule 'HTTP Directory Scanner', 'Description...
HTTP Error Based SQL Injection Scanner
This module identifies the existence of Error Based SQL injection issues. Still requires a lot of work This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Error Based SQL Injection Scanner',...
HTTP Backup File Scanner
This module identifies the existence of possible copies of a specific file in a given path. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Backup File Scanner', 'Description' = %q This...
HTTP File Same Name Directory Scanner
This module identifies the existence of files in a given directory path named as the same name of the directory. Only works if PATH is different than '/'. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
HTTP Blind XPATH 1.0 Injector
This module exploits blind XPATH 1.0 injections over HTTP GET requests. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Blind XPATH 1.0 Injector', 'Description' = %q This module exploits...
MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
This module is based on et's HTTP Directory Scanner module, with one exception. Where authentication is required, it attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS...
HTTP SSL Certificate Checker
This module will check the certificate of the specified web servers to ensure the subject and issuer match the supplied pattern and that the certificate is not expired. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
HTTP Robots.txt Content Scanner
Detect robots.txt files and analyze its content This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Robots.txt Content Scanner', 'Description' = 'Detect robots.txt files and analyze its...
HTTP Interesting File Scanner
This module identifies the existence of interesting files in a given directory path. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Interesting File Scanner', 'Description' = %q This modu...
HTTP Previous Directory File Scanner
This module identifies files in the first parent directory with same name as the given directory path. Example: Test /backup/files/ will look for the following files /backup/files.ext . This module requires Metasploit: https://metasploit.com/download Current source:...
HTTP Verb Authentication Bypass Scanner
This module test for authentication bypass using different HTTP verbs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Verb Authentication Bypass Scanner', 'Description' = %q This module...
HTTP Virtual Host Brute Force Scanner
This module tries to identify unique virtual hosts hosted by the target web server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework May I reuse some methods? require 'cgi' class MetasploitModule 'HTTP Virtual Host Bru...