6843 matches found
Local Privilege Escalation in polkits pkexec
A bug exists in the polkit pkexec binary in how it processes arguments. If the binary is provided with no arguments, it will continue to process environment variables as argument variables, but without any security checking. By using the execve call we can specify a null argument list and populat...
Firefox MCallGetProperty Write Side Effects Use After Free Exploit
This modules exploits CVE-2020-26950, a use after free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construc...
WordPress Modern Events Calendar SQLi Scanner
Modern Events Calendar plugin contains an unauthenticated timebased SQL injection in versions before 6.1.5. The time parameter is vulnerable to injection. Module Options msf use auxiliary/scanner/http/wpmoderneventscalendarsqli msf auxiliarywpmoderneventscalendarsqli show actions ...actions... ms...
Win32k ConsoleControl Offset Confusion
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This...
Axis IP Camera Application Upload
This module exploits the "Apps" feature in Axis IP cameras. The feature allows third party developers to upload and execute 'eap' applications on the device. The system does not validate the application comes from a trusted source, so a malicious attacker can upload and execute arbitrary code. Th...
Hikvision IP Camera Unauthenticated Command Injection
This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras CVE-2021-36260. The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user. This module...
Wordpress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi
Secure Copy Content Protection and Content Locking, a WordPress plugin, prior to 2.8.2 is affected by an unauthenticated SQL injection via the sccpid parameter. Remote attackers can exploit this vulnerability to dump usernames and password hashes from thewpusers table of the affected WordPress...
Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE
This vulnerability allows remote attackers to execute arbitrary code on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2. Note...
Microweber CMS v1.2.10 Local File Inclusion (Authenticated)
Microweber CMS v1.2.10 has a backup functionality. Upload and download endpoints can be combined to read any file from the filesystem. Upload function may delete the local file if the web service user has access. Module Options msf use auxiliary/gather/microweberlfi msf auxiliarymicroweberlfi sho...
Unauthenticated remote code execution in Ignition
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of filegetcontents and fileputcontents. This is exploitable on sites using debug mode with Laravel before 8.4.2. Module Options msf use...
Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump
This module uses a blind SQL injection CVE-2020-5724 affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge as part of a challenge and response authentication...
Nagios XI Autodiscovery Webshell Upload
This module exploits a path traversal issue in Nagios XI before version 5.8.5 CVE-2021-37343. The path traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as www-data. The module achieves this by creating an autodiscovery job with an id field...
Grandstream GXV31XX 'settimezone' Unauthenticated Command Execution
This module exploits a command injection vulnerability in Grandstream GXV31XX IP multimedia phones. The 'settimezone' action does not validate input in the 'timezone' parameter allowing injection of arbitrary commands. A buffer overflow in the 'phonecookie' cookie parsing allows authentication to...
QEMU Monitor HMP 'migrate' Command Execution
This module uses QEMU's Monitor Human Monitor Interface HMP TCP server to execute system commands using the migrate command. This module has been tested successfully on QEMU version 6.2.0 on Ubuntu 20.04. Module Options msf use exploit/multi/misc/qemumonitorhmpmigratecmdexec msf...
PetitPotam
Coerce an authentication attempt over SMB to other machines via MS-EFSRPC methods. Module Options msf use auxiliary/scanner/dcerpc/petitpotam msf auxiliarypetitpotam show actions ...actions... msf auxiliarypetitpotam set ACTION msf auxiliarypetitpotam show options ...show and set options... msf...
Wordpress RegistrationMagic task_ids Authenticated SQLi
RegistrationMagic, a WordPress plugin, prior to 5.0.1.5 is affected by an authenticated SQL injection via the taskids parameter. Module Options msf use auxiliary/scanner/http/wpregistrationmagicsqli msf auxiliarywpregistrationmagicsqli show actions ...actions... msf auxiliarywpregistrationmagicsq...
Cisco Small Business RV Series Authentication Bypass and Command Injection
This module exploits an authentication bypass CVE-2021-1472 and command injection CVE-2021-1473 in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then the...
Generic Command Nop Generator
Generates harmless padding for command payloads. Module Options msf use nop/cmd/generic msf nopgeneric show actions ...actions... msf nopgeneric set ACTION msf nopgeneric show options ...show and set options... msf nopgeneric run This module requires Metasploit: https://metasploit.com/download...
Grandstream UCM62xx IP PBX sendPasswordEmail RCE
This module exploits an unauthenticated SQL injection vulnerability CVE-2020-5722 and a command injection vulnerability technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662 affecting the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities all...
UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell vulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the /api/login endpoint that will cause the server to connect to the attacker and...
VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)
VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the root user in the case of the Linux virtua...
Grandstream GXV3175 'settimezone' Unauthenticated Command Execution
This module exploits a command injection vulnerability in Grandstream GXV3175 IP multimedia phones. The 'settimezone' action does not validate input in the 'timezone' parameter allowing injection of arbitrary commands. A buffer overflow in the 'phonecookie' cookie parsing allows authentication to...
Log4Shell HTTP Header Injection
Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will exploit an HTTP end point with the Log4Shell vulnerability by...
SonicWall SMA 100 Series Authenticated Command Injection
This module exploits an authenticated command injection vulnerability in the SonicWall SMA 100 series web interface. Exploitation results in command execution as root. The affected versions are: - 10.2.1.2-24sv and below - 10.2.0.8-37sv and below - 9.0.0.11-31sv and below Module Options msf use...
Pi-Hole Top Domains API Authenticated Exec
This exploits a command execution in Pi-Hole Web Interface API/Web inetrace page contains the field Top Domains/Top Advertisers which is validated by a regex which does not properly filter system commands, which can then be executed by calling the gravity functionality. However, the regex only...
Microsoft Windows SMB Direct Session Takeover
This module will intercept direct SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit...
Wordpress Plugin Catch Themes Demo Import RCE
The Wordpress Plugin Catch Themes Demo Import versions use exploit/multi/http/wpcatchthemesdemoimport msf exploitwpcatchthemesdemoimport show targets ...targets... msf exploitwpcatchthemesdemoimport set TARGET msf exploitwpcatchthemesdemoimport show options ...show and set options... msf...
Native LDAP Server (Example)
This module provides a Rex based LDAP service to expose the native Rex LDAP server functionality created during log4shell development. Module Options msf use auxiliary/server/ldap msf auxiliaryldap show actions ...actions... msf auxiliaryldap set ACTION msf auxiliaryldap show options ...show and...
ManageEngine ServiceDesk Plus CVE-2021-44077
This module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE msiexec.exe and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module wil...
Dell DBUtilDrv2.sys Memory Protection Modifier
The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition that allows an attacker to read and write arbitrary kernel-mode memory. This module installs the provided driver, enables or disables LSA protection on the provided PID, and then removes the driver. This would...
Wordpress Popular Posts Authenticated RCE
This exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080. The FQDN must also not resolve to a reserved address 192/172/127/10. The server must also respond to a HEAD request for the payload, prior to getting a GET request. This exploit...
Grafana Plugin Path Traversal
Grafana versions 8.0.0-beta1 through 8.3.0 prior to 8.0.7, 8.1.8, 8.2.7, or 8.3.1 are vulnerable to directory traversal through the plugin URL. A valid plugin ID is required, but many are installed by default. Module Options msf use auxiliary/scanner/http/grafanaplugintraversal msf...
Interact with Established SSH Connection
Interacts with a shell on an established SSH connection Module Options msf use payload/generic/ssh/interact msf payloadinteract show actions ...actions... msf payloadinteract set ACTION msf payloadinteract show options ...show and set options... msf payloadinteract run This module requires...
WordPress WPS Hide Login Login Page Revealer
This module exploits a bypass issue with WPS Hide Login version use auxiliary/scanner/http/wpwpshideloginrevealer msf auxiliarywpwpshideloginrevealer show actions ...actions... msf auxiliarywpwpshideloginrevealer set ACTION msf auxiliarywpwpshideloginrevealer show options ...show and set options...
Log4Shell HTTP Scanner
Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will scan an HTTP end point for the Log4Shell vulnerability by injectin...
Microsoft Office Word Malicious MSHTML RCE
This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine...
Windows Interactive Powershell Session, Reverse TCP SSL
Listen for a connection and spawn an interactive powershell session over SSL Module Options msf use payload/windows/x64/powershellreversetcpssl msf payloadpowershellreversetcpssl show actions ...actions... msf payloadpowershellreversetcpssl set ACTION msf payloadpowershellreversetcpssl show optio...
Windows Interactive Powershell Session, Reverse TCP SSL
Listen for a connection and spawn an interactive powershell session over SSL Module Options msf use payload/windows/powershellreversetcpssl msf payloadpowershellreversetcpssl show actions ...actions... msf payloadpowershellreversetcpssl set ACTION msf payloadpowershellreversetcpssl show options...
Windows Interactive Powershell Session, Reverse TCP SSL
Interacts with a powershell session on an established SSL socket connection Module Options msf use payload/cmd/windows/powershellreversetcpssl msf payloadpowershellreversetcpssl show actions ...actions... msf payloadpowershellreversetcpssl set ACTION msf payloadpowershellreversetcpssl show option...
2021 Ubuntu Overlayfs LPE
This module exploits a vulnerability in Ubuntu's implementation of overlayfs. The vulnerability is the result of failing to verify the ability of a user to set the attributes in a running executable. Specifically, when Overlayfs sends the set attributes data to the underlying file system via...
ManageEngine ADSelfService Plus CVE-2021-40539
This module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service. Module Options msf use...
Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution
This module exploits an unauthenticated command injection vulnerability within the Nimbus service component of Apache Storm. The getTopologyHistory RPC method method takes a single argument which is the name of a user which is concatenated into a string that is executed by bash. In order for the...
Microsoft Azure Active Directory Login Enumeration
This module enumerates valid usernames and passwords against a Microsoft Azure Active Directory domain by utilizing a flaw in how SSO authenticates. Module Options msf use auxiliary/scanner/http/azureadlogin msf auxiliaryazureadlogin show actions ...actions... msf auxiliaryazureadlogin set ACTION...
Sitecore Experience Platform (XP) PreAuth Deserialization RCE
This module exploits a deserialization vulnerability in the Report.ashx page of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7. Versions 7.2.6 and earlier and 9.0 and later are not affected. The vulnerability occurs due to Report.ashx's handler, located in...
Jetty WEB-INF File Disclosure
Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access protected files in the WEB-INF folder. Versions effected are: 9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5. Exploitation can obtain any file in the WEB-INF folder, bu...
Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE
This module exploits LFI and log poisoning vulnerabilities CVE-2020-16152 in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user. NetConfig is the Aerohive/Extreme Networks HiveOS administrative webinterface...
BillQuick Web Suite txtID SQLi
This module exploits a SQL injection vulnerability in BillQUick Web Suite prior to version 22.0.9.1. The application is .net based, and the database is required to be MSSQL. Luckily the website gives error based SQLi messages, so it is trivial to pull data from the database. However the webapp us...
Win32k NtGdiResetDC Use After Free Local Privilege Elevation
A use after free vulnerability exists in the NtGdiResetDC function of Win32k which can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists due to the fact that this function calls hdcOpenDCW, which performs a user mode callback. During this callback...
Microsoft OMI Management Interface Authentication Bypass
By removing the authentication exchange, an attacker can issue requests to the local OMI management socket that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 released September 8th 2021. Module Options msf use...
WordPress Plugin Automatic Config Change to RCE
This module exploits an unauthenticated arbitrary wordpress options change vulnerability in the Automatic wp-automatic plugin use auxiliary/admin/http/wpautomaticpluginprivesc msf auxiliarywpautomaticpluginprivesc show actions ...actions... msf auxiliarywpautomaticpluginprivesc set ACTION msf...