Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation

This module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rdsatomicfreeop function in the Reliable Datagram Sockets RDS kernel module rds.ko. Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted...

WordPress InfiniteWP Client Authentication Bypass

This module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGINFILE. The module will attempt to retrieve the original PLUGINFILE contents and restore them after payload...

Tautulli v2.1.9 - Shutdown Denial of Service

Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Tautulli v2.1.9 - Shutdown Denial of Service',...

Webmin password_change.cgi Backdoor

This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project's site. Unknown attackers inserted Perl qx statements into the build server's source code on two separate occasions: onc...

Citrix ADC (NetScaler) Directory Traversal RCE

This module exploits a directory traversal in Citrix Application Delivery Controller ADC, aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload...

Citrix ADC (NetScaler) Directory Traversal Scanner

This module exploits a directory traversal vulnerability CVE-2019-19781 within Citrix ADC NetScaler. It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of a...

D-Link DIR-859 Unauthenticated Remote Command Execution

D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP interface. The vulnerability exists in /gena.cgi function genacgimain in /htdocs/cgibin, which is accessible without credentials. This module requires Metasploit: https://metasploit.com/download Current source:...

"Cablehaunt" Cable Modem WebSocket DoS

There exists a buffer overflow vulnerability in certain Cable Modem Spectrum Analyzer interfaces. This overflow is exploitable, but since an exploit would differ between every make, model, and firmware version which also differs from ISP to ISP, this module simply causes a Denial of Service to te...

Install OpenSSH for Windows

This module installs OpenSSH server and client for Windows using PowerShell. SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH. This module requires Metasploit: https://metasploit.com/download...

Barco WePresent file_transfer.cgi Command Injection

This module exploits an unauthenticated remote command injection vulnerability found in Barco WePresent and related OEM'ed products. The vulnerability is triggered via an HTTP POST request to the filetransfer.cgi endpoint. This module requires Metasploit: https://metasploit.com/download Current...

Plantronics Hub SpokesUpdateService Privilege Escalation

The Plantronics Hub client application for Windows makes use of an automatic update service SpokesUpdateService.exe which automatically executes a file specified in the MajorUpgrade.config configuration file as SYSTEM. The configuration file is writable by all users by default. This module has be...

TVT NVMS-1000 Directory Traversal

This module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80. This module requires Metasploit: https://metasploit.com/download Current source:...

Apache Solr Remote Code Execution via Velocity Template

This module exploits a vulnerability in Apache Solr 'Apache Solr Remote Code Execution via Velocity Template', 'Description' = %q This module exploits a vulnerability in Apache Solr = 8.3.0 which allows remote code execution via a custom Velocity template. Currently, this module only supports Sol...

DLINK DWL-2600 Authenticated Remote Command Injection

Some DLINK Access Points are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'DLIN...

OpenBSD Dynamic Loader chpass Privilege Escalation

This module exploits a vulnerability in the OpenBSD ld.so dynamic loader CVE-2019-19726. The dlgetenv function fails to reset the LDLIBRARYPATH environment variable when set with approximately ARGMAX colons. This can be abused to load libutil.so from an untrusted path, using LDLIBRARYPATH in...

Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation

This module exploits a vulnerability in the rdspagecopyuser function in net/rds/page.c RDS in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root CVE-2010-3904. This module has been tested successfully on: Fedora 13 i686 kernel version 2.6.33.3-85.fc13.i686.PAE; and Ubuntu 10.04...

Bash Profile Persistence

This module writes an execution trigger to the target's Bash profile. The execution trigger executes a call back payload whenever the target user opens a Bash terminal. A handler is not run automatically, so you must configure an appropriate exploit/multi/handler to receive the callback. This...

OpenNetAdmin Ping Command Injection

This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenNetAdmin Ping Command Injection', 'Description' = %q This...

Reptile Rootkit reptile_cmd Privilege Escalation

This module uses Reptile rootkit's reptilecmd backdoor executable to gain root privileges using the root command. This module has been tested successfully with Reptile from master branch 2019-03-04 on Ubuntu 18.04.3 x64 and Linux Mint 19 x64. This module requires Metasploit:...

Microsoft UPnP Local Privilege Elevation Vulnerability

This exploit uses two vulnerabilities to execute a command as an elevated user. The first CVE-2019-1405 uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE The second CVE-2019-1322 leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT...

Google Chrome 72 and 73 Array.map exploit

This module exploits an issue in Chrome 73.0.3683.86 64 bit. The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RW...

Wordpress Plainview Activity Monitor RCE

Plainview Activity Monitor Wordpress plugin is vulnerable to OS command injection which allows an attacker to remotely execute commands on underlying system. Application passes unsafe user supplied data to ip parameter into activitiesoverview.php. Privileges are required in order to exploit this...

Password Cracker: Mobile

This module uses Hashcat to identify weak passwords that have been acquired from Android systems. These utilize MD5 or SHA1 hashing. Android Samsung SHA1 is format 5800 in Hashcat. Android non-Samsung SHA1 is format 110 in Hashcat. Android MD5 is format 10. JTR does not support Android hashes at...

Android Gather Dump Password Hashes for Android Systems

Post Module to dump the password hashes for Android System. Root is required. To perform this operation, two things are needed. First, a password.key file is required as this contains the hash but no salt. Next, a sqlite3 database is needed with supporting files to pull the salt from. Combined,...

Unix Command Shell, Bind TCP (via jjs)

Listen for a connection and spawn a command shell via jjs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 795 include Msf::Payload::Single include Msf::Sessions::CommandShellOption...

Unix Command Shell, Reverse TCP (via jjs)

Connect back and create a command shell via jjs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 863 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...

OpenMRS Java Deserialization RCE

OpenMRS is an open-source platform that supplies users with a customizable medical record system. There exists an object deserialization vulnerability in the webservices.rest module used in OpenMRS Platform. Unauthenticated remote code execution can be achieved by sending a malicious XML payload ...

Bludit Directory Traversal Image File Upload Vulnerability

This module exploits a vulnerability in Bludit. A remote user could abuse the uuid parameter in the image upload feature in order to save a malicious payload anywhere onto the server, and then use a custom .htaccess file to bypass the file extension check to finally get remote code execution. Thi...

FreeSWITCH Event Socket Command Execution

This module uses the FreeSWITCH event socket interface to execute system commands using the system API command. The event socket service is enabled by default and listens on TCP port 8021 on the local network interface. This module has been tested successfully on FreeSWITCH versions:...

FusionPBX Command exec.php Command Execution

This module uses administrative functionality available in FusionPBX to gain a shell. The Command section of the application permits users with execview permissions, or superadmin permissions, to execute arbitrary system commands, or arbitrary PHP code, as the web server user. This module has bee...

FusionPBX Operator Panel exec.php Command Execution

This module exploits an authenticated command injection vulnerability in FusionPBX versions 4.4.3 and prior. The exec.php file within the Operator Panel permits users with operatorpanelview permissions, or administrator permissions, to execute arbitrary commands as the web server user by sending ...

CMS Made Simple Authenticated RCE via object injection

An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager in the files action.adminbulkcss.php and action.adminbulktemplate.php, with an unprivileged user with Designer permission, it is possible to reach an unserialize call with a crafted value in the m1allparms parameter, an...

Windows Escalate UAC Protection Bypass (Via dot net profiler)

Microsoft Windows allows for the automatic loading of a profiling COM object during the launch of a CLR process based on certain environment variables ostensibly to monitor execution. In this case, we abuse the profiler by pointing to a payload DLL that will be launched as the profiling thread...

Pulse Secure VPN Arbitrary Command Execution

This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env1 command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulsesecurefiledisclosure for a pre-auth file read that...

Ajenti auth username Command Injection

This module exploits a command injection in Ajenti == 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

rConfig install Command Execution

This module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The install directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the ajaxServerSettingsChk.php file as the web server...

Adobe ColdFusion RDS Authentication Bypass

Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Due to default settings or misconfiguration, its password can be set to an empty value. This allows an attacker to create a session via the RDS login that can be carried over to th...

BSD Dump Password Hashes

Post module to dump the password hashes for all users on a BSD system. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'BSD Dump Password Hashes', 'Description' = %q Post module to dump the...

Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)

This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when Window backup and restore is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a regist...

Test SSH Github Access

This module will attempt to test remote Git access using .ssh/id private keys. This works against GitHub and GitLab by default, but can easily be extended to support more server types. This module requires Metasploit: https://metasploit.com/download Current source:...

Nostromo Directory Traversal Remote Command Execution

This module exploits a remote command execution vulnerability in Nostromo 'Nostromo Directory Traversal Remote Command Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Nostromo 'Quentin Kaiser ', metasploit module 'sp0re', original public exploit ,...

Solaris xscreensaver log Privilege Escalation

This module exploits a vulnerability in xscreensaver versions since 5.06 on unpatched Solaris 11 systems which allows users to gain root privileges. xscreensaver allows users to create a user-owned file at any location on the filesystem using the -log command line argument introduced in version...

vBulletin widgetConfig RCE

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfigcode parameter in an ajax/render/widgetphp routestring POST request. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModu...

Android Binder Use-After-Free Exploit

This module exploits CVE-2019-2215, which is a use-after-free in Binder in the Android kernel. The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If chained with a browser renderer exploit, this bug could fully compromise a device throu...

ThinVNC Directory Traversal

This module exploits a directory traversal vulnerability in ThinVNC versions 1.0b1 and prior which allows unauthenticated users to retrieve arbitrary files, including the ThinVNC configuration file. This module has been tested successfully on ThinVNC versions 1.0b1 and "ThinVNCLatest" 2018-12-07...

Gather GRUB Password

This module gathers GRUB passwords from GRUB bootloader config files. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Gather GRUB Password', 'Description' = %q This module gathers GRUB password...

Total.js CMS 12 Widget JavaScript Code Injection

This module exploits a vulnerability in Total.js CMS. The issue is that a user with admin permission can embed a malicious JavaScript payload in a widget, which is evaluated server side, and gain remote code execution. This module requires Metasploit: https://metasploit.com/download Current sourc...

URGENT/11 Scanner, Based on Detection Tool by Armis

This module detects VxWorks and the IPnet IP stack, along with devices vulnerable to CVE-2019-12258. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'URGENT/11 Scanner, Based on Detection Tool b...

Metasploit HTTP(S) handler DoS

This module exploits the Metasploit HTTPS handler by sending a specially crafted HTTP request that gets added as a resource handler. Resources which come from the external connections are evaluated as RegEx in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS. Test...

Windows Manage Memory Shellcode Injection Module

This module will inject into the memory of a process a specified shellcode. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Manage Memory Shellcode Injection Module', 'Description' = %q...