6845 matches found
Brocade Gather Device General Information
This module collects Brocade device information and configuration. This module has been tested against an icx6430 running 08.0.20T311. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Brocade...
Juniper Gather Device General Information
This module collects a Juniper ScreenOS and JunOS device information and configuration. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Juniper Gather Device General Information', 'Description'...
Plex Unpickle Dict Windows RCE
This module exploits an authenticated Python unsafe pickle.load of a Dict file. An authenticated attacker can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled...
AnyDesk GUI Format String Write
The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the discovery service is always running, the GUI frontend must be started to trigger...
Cisco AnyConnect Priv Esc through Path Traversal
The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The attack consists in sending a specially crafted IPC reques...
Agent Tesla Panel Remote Code Execution
This module exploits a command injection vulnerability within the Agent Tesla control panel, in combination with an SQL injection vulnerability and a PHP object injection vulnerability, to gain remote code execution on affected hosts. Panel versions released prior to Sepetember 12, 2018 can be...
Trend Micro Web Security (Virtual Appliance) Remote Code Execution
This module exploits multiple vulnerabilities together in order to achive a remote code execution. Unauthenticated users can execute a terminal command under the context of the root user. The specific flaw exists within the LogSettingHandler class of administrator interface software. When parsing...
ATutor 2.2.4 - Directory Traversal / Remote Code Execution,
This module exploits an arbitrary file upload vulnerability together with a directory traversal flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in order to execute arbitrary commands. It first creates a zip archive containing a malicious PHP file. The zip archive takes advantage of a directory...
Cayin CMS NTP Server RCE
This module exploits an authenticated RCE in Cayin CMS 'Cayin CMS NTP Server RCE', 'Description' = %q This module exploits an authenticated RCE in Cayin CMS MSFLICENSE, 'Author' = 'h00die', msf module 'Gjoko Krstic LiquidWorm '...
Inductive Automation Ignition Remote Code Execution
This module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product, versions 8.0.0 to and including 8.0.7. This exploit was tested on versions 8.0.0 and 8.0.7 on both Linux and Windows. The default configuration is exploitable by an unauthenticated...
Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability
This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service BITS, to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code execution as the...
Cayin xPost wayfinder_seqid SQLi to RCE
This module exploits an unauthenticated SQLi in Cayin xPost 'Cayin xPost wayfinderseqid SQLi to RCE', 'Description' = %q This module exploits an unauthenticated SQLi in Cayin xPost MSFLICENSE, 'Author' = 'h00die', msf module 'Gjoko Krstic LiquidWorm...
Cisco UCS Director Cloupia Script RCE
This module exploits an authentication bypass and directory traversals in Cisco UCS Director 'Cisco UCS Director Cloupia Script RCE', 'Description' = %q This module exploits an authentication bypass and directory traversals in Cisco UCS Director 6.7.4.0 to leak the administrator's REST API key an...
WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp
There exists a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable versions of WebLogic. Leveraging an ExtractorComparator...
Wordpress Drag and Drop Multi File Uploader RCE
This module exploits a file upload feature of Drag and Drop Multi File Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file extension list can be bypassed by appending a %, allowing for php shells to be uploaded. No authentication is required for exploitation. This module require...
LinuxKI Toolset 6.01 Remote Command Execution
This module exploits a vulnerability in LinuxKI Toolset 'LinuxKI Toolset 6.01 Remote Command Execution', 'Description' = %q This module exploits a vulnerability in LinuxKI Toolset MSFLICENSE, 'Author' = 'Cody Winkler', discovery and poc 'numan türle' msf exploit , 'References' = 'EDB', '48483',...
QNAP QTS and Photo Station Local File Inclusion
This module exploits a local file inclusion in QNAP QTS and Photo Station that allows an unauthenticated attacker to download files from the QNAP filesystem. Because the HTTP server runs as root, it is possible to access sensitive files, such as SSH private keys and password hashes. This module h...
Windows Gather Xshell and Xftp Passwords
This module can decrypt the password of xshell and xftp, if the user chooses to remember the password. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Xshell and Xftp Passwords',...
BIND TSIG Badtime Query Denial of Service
A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'BIND TSIG Badtime Query Denial of Service...
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
This module exploits a SQL injection vulnerability found in vBulletin 5.6.1 and earlier This module uses the getIndexableContent vulnerability to reset the administrators password, it then uses the administrators login information to achieve RCE on the target. This module has been tested...
vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection
This module exploits a SQL injection vulnerability found in vBulletin 5.x.x to dump the user table information or to dump all of the vBulletin tables based on the selected options. This module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux. This module requires Metasploit...
Plesk/myLittleAdmin ViewState .NET Deserialization
This module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded parameters in the web.config file for ASP.NET. Popular web hosting control panel Plesk offers myLittleAdmin as ...
Synology Forget Password User Enumeration Scanner
This module attempts to enumerate users on the Synology NAS by sending GET requests for the forgot password URL. The Synology NAS will respond differently if a user is present or not. These count as login attempts, and the default is 10 logins in 5min to get a permanent block. Set delay according...
Synology DiskStation Manager smart.cgi Remote Command Execution
This module exploits a vulnerability found in Synology DiskStation Manager DSM versions \d+&minor=?\d+&build=?\d+ &junior=\d+&unique=synology\w+?^&+/x.freeze def initializeinfo = super updateinfo info, 'Name' = 'Synology DiskStation Manager smart.cgi Remote Command Execution', 'Description' = %q...
GOG GalaxyClientService Privilege Escalation
This module will send arbitrary filepaths to the GOG GalaxyClientService, which will be executed with SYSTEM privileges verified on GOG Galaxy Client v1.2.62 and v2.0.12; prior versions are also likely affected. This module requires Metasploit: https://metasploit.com/download Current source:...
Pi-Hole DHCP MAC OS Command Execution
This exploits a command execution in Pi-Hole 'Pi-Hole DHCP MAC OS Command Execution', 'Description' = %q This exploits a command execution in Pi-Hole MSFLICENSE, 'Author' = 'h00die', msf module 'François Renaud-Philippon ' original PoC, discovery , 'References' = 'URL',...
Pi-Hole Whitelist OS Command Execution
This exploits a command execution vulnerability in Pi-Hole 'Pi-Hole Whitelist OS Command Execution', 'Description' = %q This exploits a command execution vulnerability in Pi-Hole MSFLICENSE, 'Author' = 'h00die', msf module 'Denis Andzakovic' original PoC, discovery , 'References' = 'URL',...
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
This exploits a command execution in Pi-Hole 'Pi-Hole heisenbergCompensator Blocklist OS Command Execution', 'Description' = %q This exploits a command execution in Pi-Hole = 4.4. A new blocklist is added, and then an update is forced gravity to pull in the blocklist content. PHP content is then...
Netsweeper WebAdmin unixlogin.php Python Code Injection
This module exploits a Python code injection in the Netsweeper WebAdmin component's unixlogin.php script, for versions 6.4.4 and prior, to execute code as the root user. Authentication is bypassed by sending a random whitelisted Referer header in each request. Tested on the CentOS Linux-based...
SaltStack Salt Master/Minion Unauthenticated RCE
This module exploits unauthenticated access to the runner and sendpub methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager...
SaltStack Salt Master Server Root Key Disclosure
This module exploits unauthenticated access to the prepauthinfo method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations...
Cloud Lookup (and Bypass)
This module can be useful if you need to test the security of your server and your website behind a solution Cloud based. By discovering the origin IP address of the targeted host. More precisely, this module uses multiple data sources in order ViewDNS.info, DNS enumeration and Censys to collect...
Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation
Druva inSync client for Windows exposes a network service on TCP port 6064 on the local network interface. inSync versions 6.6.3 and prior do not properly validate user-supplied program paths in RPC type 5 messages, allowing execution of arbitrary commands as SYSTEM. This module has been tested...
TrixBox CE endpoint_devicemap.php Authenticated Command Execution
This module exploits an authenticated OS command injection vulnerability found in Trixbox CE version 1.2.0 to 2.8.0.4 inclusive in the "network" POST parameter of the "/maint/modules/endpointcfg/endpointdevicemap.php" page. Successful exploitation allows for arbitrary command execution on the...
WebLogic Server Deserialization RCE - BadAttributeValueExpException
There exists a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers. This module requires Metasploit:...
Kentico CMS Staging SyncServer Unserialize Remote Command Execution
This module exploits a vulnerability in the Kentico CMS platform versions 12.0.14 and earlier. Remote Command Execution is possible via unauthenticated XML requests to the Staging Service SyncServer.asmx interface ProcessSynchronizationTaskData method stagingTaskData parameter. XML input is passe...
Veeam ONE Agent .NET Deserialization
This module exploits a .NET deserialization vulnerability in the Veeam ONE Agent before the hotfix versions 9.5.5.4587 and 10.0.1.750 in the 9 and 10 release lines. Specifically, the module targets the HandshakeResult method used by the Agent. By inducing a failure in the handshake, the Agent wil...
Microsoft Windows NtUserMNDragOver Local Privilege Elevation
This module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex, which is reachable via a NtUserMNDragOver system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint function does not effectively check the validity of the tagPOPUPMENU objects it...
Apache Shiro v1.2.4 Cookie RememberME Deserial RCE
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Shiro v1.2.4. Note that other versions of Apache Shiro may also be exploitable if the encryption key used by Shiro to encrypt rememberMe cookies is known. This module requires Metasploit:...
VMware vCenter Server vmdir Information Disclosure
This module uses an anonymous-bind LDAP connection to dump data from the vmdir service in VMware vCenter Server version 6.7 prior to the 6.7U3f update, only if upgraded from a previous release line, such as 6.0 or 6.5. If the bind username and password are provided BINDDN and BINDPW options, thes...
VMware vCenter Server vmdir Authentication Bypass
This module bypasses LDAP authentication in VMware vCenter Server's vmdir service to add an arbitrary administrator user. Version 6.7 prior to the 6.7U3f update is vulnerable, only if upgraded from a previous release line, such as 6.0 or 6.5. Note that it is also possible to provide a bind userna...
Linux Gather HexChat/XChat Enumeration
This module will collect HexChat and XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will...
IBM Data Risk Manager a3user Default Password
This module abuses a known default password in IBM Data Risk Manager. The 'a3user' has the default password 'idrm' and allows an attacker to log in to the virtual appliance via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password. At the time of...
Multi Manage the screen of the target meterpreter session
This module allows you to view and control the screen of the target computer via a local browser window. The module continually screenshots the target screen and also relays all mouse and keyboard events to session. This module requires Metasploit: https://metasploit.com/download Current source:...
Arista restricted shell escape (with privesc)
This exploit module takes advantage of a poorly configured TACACS+ config, Arista's bash shell and TACACS+ read-only account to privilage escalate. A CVSS v3 base score of 9.8 has been assigned. This module requires Metasploit: https://metasploit.com/download Current source:...
IBM Data Risk Manager Arbitrary File Download
IBM Data Risk Manager IDRM contains two vulnerabilities that can be chained by an unauthenticated attacker to download arbitrary files off the system. The first is an unauthenticated bypass, followed by a path traversal. This module exploits both vulnerabilities, giving an attacker the ability to...
IBM Data Risk Manager Unauthenticated Remote Code Execution
IBM Data Risk Manager IDRM contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. Thi...
Service Tracing Privilege Elevation Vulnerability
This module leverages a trusted file overwrite with a DLL hijacking vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64 targets. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModul...
HP Performance Monitoring xglance Priv Esc
This exploit takes advantage of xglance-bin, part of HP's Glance or Performance Monitoring version 11 'and subsequent' , which was compiled with an insecure RPATH option. The RPATH includes a relative path to -L/lib64/ which can be controlled by a user. Creating libraries in this location will...
Metasploit Libnotify Plugin Arbitrary Command Execution
This module exploits a shell command injection vulnerability in the libnotify plugin. This vulnerability affects Metasploit versions 5.0.79 and earlier. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...