HP Web JetAdmin 6.5 Server Arbitrary Command Execution

This module abuses a command execution vulnerability within the web based management console of the Hewlett-Packard Web JetAdmin network printer tool v6.2 - v6.5. It is possible to execute commands as SYSTEM without authentication. The vulnerability also affects POSIX systems, however at this sta...

BigAnt Server 2.50 SP1 Buffer Overflow

This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.50 SP1. This module requires Metasploit: https://metasploit.com/download Current source:...

Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability

This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in propertybox.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 Win32. This module requires Metasploit:...

pSnuffle Packet Sniffer

This module sniffs passwords like dsniff did in the past This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework dsniff was helping me very often. Too bad that it doesn't work correctly anymore. Psnuffle should bring password...

DECT Call Scanner

This module scans for active DECT calls This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DECT Call Scanner', 'Description' = 'This module scans for active DECT calls', 'Author' = 'DK ' , 'Licens...

DECT Base Station Scanner

This module scans for DECT base stations This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DECT Base Station Scanner', 'Description' = 'This module scans for DECT base stations', 'Author' = 'DK '...

Sendmail SMTP Address prescan Memory Corruption

This is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution. This...

Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute

This module allows remote attackers to install and execute arbitrary files on a users file system via AeXNSPkgDLLib.dll 6.0.0.1418. This module was tested against Symantec Altiris Deployment Solution 6.9 sp3. This module requires Metasploit: https://metasploit.com/download Current source:...

Opera 9 Configuration Overwrite

Opera web browser in versions HttpClients::OPERA, :uamaxver = "9.10", :osname = OperatingSystems::Match::WINDOWS, OperatingSystems::Match::LINUX , :javascript = true, :rank = ExcellentRanking, reliable cmd exec, cleans up after itself :vulntest = nil, def initializeinfo = superupdateinfoinfo,...

Wyse Rapport Hagent Fake Hserver Command Execution

This module exploits the Wyse Rapport Hagent service by pretending to be a legitimate server. This process involves starting both HTTP and FTP services on the attacker side, then contacting the Hagent service of the target and indicating that an update is available. The target will then download...

MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution

This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule HttpClients::IE, In badly...

SMB 2.0 Protocol Detection

Detect systems that support the SMB 2.0 protocol...

SAP Business One License Manager 2005 Buffer Overflow

This module exploits a stack buffer overflow in the SAP Business One 2005 License Manager 'NT Naming Service' A and B releases. By sending an excessively long string the stack is overwritten enabling arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Curren...

SafeNet SoftRemote IKE Service Buffer Overflow

This module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe service. When sending a specially crafted udp packet to port 62514 an attacker may be able to execute arbitrary code. This module has been tested with Juniper NetScreen-Remote 10.8.0 Build 20 using...

Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution

This module abuses a metacharacter injection vulnerability in the HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker to execute arbitrary...

Altap Salamander 2.5 PE Viewer Buffer Overflow

This module exploits a buffer overflow in Altap Salamander 'Altap Salamander 2.5 PE Viewer Buffer Overflow', 'Description' = %q This module exploits a buffer overflow in Altap Salamander MSFLICENSE, 'Author' = 'aushack' , 'References' = 'CVE', '2007-3314' , 'BID', '24557' , 'OSVDB', '37579' ,...

DCERPC TCP Service Auditor

Determine what DCERPC services are accessible over a TCP port This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DCERPC TCP Service Auditor', 'Description' = 'Determine what DCERPC services are...

CA Antivirus Engine CAB Buffer Overflow

This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637. By creating a specially crafted CAB file, an attacker may be able to execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager

Inject a VNC Dll via a reflective loader Windows x64 staged. Connect back to the attacker Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 449 include Msf::Payload::Stag...

Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager

Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for a connection Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module...

Windows x64 Command Shell, Bind TCP Inline

Listen for a connection and spawn a command shell Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 505 include Msf::Payload::Windows include Msf::Payload::Single include...

Windows x64 Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 460 include Msf::Payload::Windows include Msf::Payload::Single includ...

Windows x64 Command Shell, Windows x64 Bind TCP Stager

Spawn a piped command shell Windows x64 staged. Listen for a connection Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 483 include Msf::Payload::Stager include...

Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager

Inject a VNC Dll via a reflective loader Windows x64 staged. Listen for a connection Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 483 include Msf::Payload::Stager...

Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager

Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Connect back to the attacker Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module...

Windows x64 Command Shell, Windows x64 Reverse TCP Stager

Spawn a piped command shell Windows x64 staged. Connect back to the attacker Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 449 include Msf::Payload::Stager include...

ProFTP 2.9 Banner Remote Buffer Overflow

This module exploits a buffer overflow in the ProFTP 2.9 client that is triggered through an excessively long welcome message. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ProFTP 2.9 Banner...

XOR Encoder

An x64 XOR encoder. Uses an 8 byte key and takes advantage of x64 relative addressing. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'XOR Encoder', 'Description' = 'An x64 XOR encoder. Uses an...

Simple

An x64 single/multi byte NOP instruction generator. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Simple', 'Alias' = 'x64simple', 'Description' = 'An x64 single/multi byte NOP instruction...

Windows x64 Execute Command

Execute an arbitrary command Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 275 include Msf::Payload::Windows include Msf::Payload::Single def initializeinfo =...

DNS BailiWicked Host Attack

This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those...

DB2 Discovery Service Detection

This module simply queries the DB2 discovery service for information. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DB2 Discovery Service Detection', 'Description' = 'This module simply queri...

Nagios3 statuswml.cgi Ping Command Execution

This module abuses a metacharacter injection vulnerability in the Nagios3 statuswml.cgi script. This flaw is triggered when shell metacharacters are present in the parameters to the ping and traceroute commands. This module requires Metasploit: https://metasploit.com/download Current source:...

FreeBSD Meterpreter Service, Bind TCP

Stub payload for interacting with a Meterpreter Service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Bsd include Msf::Payload::Single include...

FreeBSD Meterpreter Service, Reverse TCP Inline

Stub payload for interacting with a Meterpreter Service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Bsd include Msf::Payload::Single include...

Linux Meterpreter Service, Reverse TCP Inline

Stub payload for interacting with a Meterpreter Service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Linux::X86::Prepends include Msf::Payload::Single...

Linux Meterpreter Service, Bind TCP

Stub payload for interacting with a Meterpreter Service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Linux::X86::Prepends include Msf::Payload::Single...

Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow

This module exploits a stack buffer overflow in the JuniperSetupDLL.dll library which is called by the JuniperSetup.ocx ActiveX control, as part of the Juniper SSL-VPN IVE appliance. By specifying an overly long string to the ProductName object parameter, the stack is overwritten. This module...

Oracle URL Download

This module will create a java class which enables the download of a binary from a webserver to the oracle filesystem. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle URL Download',...

Oracle Java execCommand (Win32)

This module will create a java class which enables the execution of OS commands. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle Java execCommand Win32', 'Description' = %q This module...

Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN

This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMSMETADATA.OPEN package/function. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle DB SQL...

Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML

This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMSMETADATA.GETGRANTEDXML package/function. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Orac...

Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE

The module exploits an sql injection flaw in the ALTERHOTLOGINTERNALCSOURCE procedure of the PL/SQL package DBMSCDCIPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTECATALOGROLE have the required privilege. Affected...

Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method

This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007. This module...

Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML

This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMSMETADATA.GETXML package/function. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Oracle DB S...

Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE

This module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...

Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE

This module exploits a sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...

Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE

The module exploits an sql injection flaw in the ALTERAUTOLOGCHANGESOURCE procedure of the PL/SQL package DBMSCDCPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTECATALOGROLE have the required privilege. Affected...

Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE

This module exploits a sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...

Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE

This module exploits a sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...