6845 matches found
Spring Cloud Config Server Directory Traversal
This module exploits an unauthenticated directory traversal vulnerability which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6. Spring Cloud Config listens by default on port 8888. This module requires Metasploit:...
RARLAB WinRAR ACE Format Input Validation Remote Code Execution
In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format in UNACEV2.dll. When the filename field is manipulated with specific patterns, the destination extraction folder is ignored, thus treating the filename as an...
Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation
This module exploits a command injection in TimeMachine on macOS 'Mac OS X TimeMachine tmdiagnose Command Injection Privilege Escalation', 'Description' = %q This module exploits a command injection in TimeMachine on macOS = 10.14.3 in order to run a payload as root. The tmdiagnose binary on OSX ...
LibreOffice Macro Code Execution
LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. A macro can be tied to a program event by including the script that contains the macro and the function name to be executed. Additionally, a directory traversal vulnerability exis...
Atlassian Confluence Widget Connector Macro Velocity Template Injection
Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is...
WordPress Google Maps Plugin SQL Injection
This module exploits a SQL injection vulnerability in a REST endpoint registered by the WordPress plugin wp-google-maps between 7.11.00 and 7.11.17 included. As the table prefix can be changed by administrators, set DBPREFIX accordingly. This module requires Metasploit:...
Microsoft Windows Contact File Format Arbitary Code Execution
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact...
Pimcore Unserialize RCE
This module exploits a PHP unserialize in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability. The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method makes it possible to exploit the...
Yum Package Manager Persistence
This module will run a payload when the package manager is used. No handler is ran automatically so you must configure an appropriate exploit/multi/handler to connect. Module modifies a yum plugin to launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/ will show what plugins are...
Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF
This module exploits an XML external entity vulnerability and a server side request forgery to get unauthenticated code execution on Zimbra Collaboration Suite. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP...
APT Package Manager Persistence
This module will run a payload when the package manager is used. No handler is ran automatically so you must configure an appropriate exploit/multi/handler to connect. This module creates a pre-invoke hook for APT in apt.conf.d. The hook name syntax is numeric followed by text. This module requir...
Onion Omega2 Login Brute-Force
OnionOS login scanner module for Onion Omega2 devices. !/usr/bin/env python3 -- coding: utf-8 -- 2019-03-27 05-55 Standard Modules from metasploit import module, loginscanner import json Extra Modules dependenciesmissing = False try: import requests except ImportError: dependenciesmissing = True...
Horde Form File Upload Vulnerability
Horde Groupware Webmail contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. The exploitation requires the Turba subcomponent to be installed. This module was tested on Horde versions 5.2.22 and 5.2.17 running Horde Form subcomponent 'Horde Form File Upload...
Apache Tika Header Command Injection
This module exploits a command injection vulnerability in Apache Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic bytes checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for...
Ruby On Rails File Content Disclosure ('doubletap')
This module uses a path traversal vulnerability in Ruby on Rails versions = "Ruby On Rails File Content Disclosure 'doubletap'", 'Description' = %q This module uses a path traversal vulnerability in Ruby on Rails versions = 'Carter Brainerd ', Metasploit module 'John Hawthorn ' PoC/discovery ,...
AIS logistics ESEL-Server Unauth SQL Injection RCE
This module will execute an arbitrary payload on an "ESEL" server used by the AIS logistic software. The server typically listens on port 5099 without TLS. There could also be server listening on 5100 with TLS but the port 5099 is usually always open. The login process is vulnerable to an SQL...
ES File Explorer Open Port
This module connects to ES File Explorer's HTTP server to run certain commands. The HTTP server is started on app launch, and is available as long as the app is open. Version 4.1.9.7.4 and below are reported vulnerable This module has been tested against 4.1.9.5.1. This module requires Metasploit...
WordPress Crop-image Shell Upload
This module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and 'WordPress Crop-image Shell Upload', 'Description' = %q This module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and = 4.9.8. The...
Cisco RV130W Routers Management Interface Remote Command Execution
A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based...
PostgreSQL COPY FROM PROGRAM Command Execution
Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pgexecuteserverprogram' to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access. This module attempts to create a ne...
CAN Flood
This module floods a CAN interface with supplied frames. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CAN Flood', 'Description' = 'This module floods a CAN interface with supplied frames.',...
CMS Made Simple (CMSMS) Showtime2 File Upload RCE
This module exploits a File Upload vulnerability that lead in a RCE in Showtime2 module "CMS Made Simple CMSMS Showtime2 File Upload RCE", 'Description' = %q This module exploits a File Upload vulnerability that lead in a RCE in Showtime2 module = 3.6.2 in CMS Made Simple CMSMS. An authenticated...
IBM BigFix Relay Server Sites and Package Enum
This module retrieves masthead, site, and available package information from IBM BigFix Relay Servers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IBM BigFix Relay Server Sites and Package...
Jenkins ACL Bypass and Metaprogramming RCE
This module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file. When the "Java Dropper" target is selected, the original entry point based on classLoader.parseClass is used, which...
Webmin Upload Authenticated RCE
This module exploits an arbitrary command execution vulnerability in Webmin 1.900 and lower versions. Any user authorized to the "Upload and Download" module can execute arbitrary commands with root privileges. In addition, if the 'Running Processes' proc privilege is set the user can accurately...
Multi Gather Ubiquiti UniFi Controller Backup
On an Ubiquiti UniFi controller, reads the system.properties configuration file and downloads the backup and autobackup files. The files are then decrypted using a known encryption key, then attempted to be repaired by zip. Meterpreter must be used due to the large file sizes, which can be flaky ...
Total.js prior to 3.2.4 Directory Traversal
This module check and exploits a directory traversal vulnerability in Total.js prior to 3.2.4. Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv,...
elFinder PHP Connector exiftran Command Injection
This module exploits a command injection vulnerability in elFinder versions prior to 2.1.48. The PHP connector component allows unauthenticated users to upload files and perform file modification operations, such as resizing and rotation of an image. The file name of uploaded files is not...
Drupal RESTful Web Services unserialize() RCE
This module exploits a PHP unserialize vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable albeit cached...
Cisco RV320 and RV325 Unauthenticated Remote Code Execution
This exploit module combines an information disclosure CVE-2019-1653 and a command injection vulnerability CVE-2019-1652 together to gain unauthenticated remote code execution on Cisco RV320 and RV325 small business routers. Can be exploited via the WAN interface of the router. Either via HTTPS o...
Microsoft Exchange Privilege Escalation Exploit
This module exploits a privilege escalation vulnerability found in Microsoft Exchange - CVE-2019-0724 Execution of the module will force Exchange to authenticate to an arbitrary URL over HTTP via the Exchange PushSubscription feature. This allows us to relay the NTLM authentication to a Domain...
Belkin Wemo UPnP Remote Code Execution
This module exploits a command injection in the Belkin Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo devices are known to be affected, albeit on a different RPORT 49153. This module requires...
Fortinet SSL VPN Bruteforce Login Utility
This module scans for Fortinet SSL VPN web login portals and performs login brute force to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Fortinet SSL VPN Bruteforc...
Unitronics PCOM remote START/STOP/RESET command
Unitronics Vision PLCs allow remote administrative functions to control the PLC using authenticated PCOM commands. This module supports START, STOP and RESET operations. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
BMC Patrol Agent Privilege Escalation Cmd Execution
This module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verfies that the password of the provided user is correct. This also means if the software is...
Cisco RV320/RV326 Configuration Disclosure
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit th...
Xorg X11 Server Local Privilege Escalation
WARNING: Successful execution of this module results in /etc/passwd being overwritten. This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the...
JVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure
SIEMENS IP-Camera CVMS2025-IR + CCMS2025, JVC IP-Camera VN-T216VPRU, and Vanderbilt IP-Camera CCPW3025-IR + CVMW3025-IR allow an unauthenticated user to disclose the username & password by requesting the javascript page 'readfile.cgi?query=ADMINID'. Siemens firmwares affected: x.2.2.1798,...
Apply Pot File To Hashes
This module uses a John the Ripper or Hashcat .pot file to crack any password hashes in the creds database instantly. JtR's --show functionality is used to help combine all the passwords into an easy to use format. This module requires Metasploit: https://metasploit.com/download Current source:...
Evince CBT File Command Injection
This module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book .cbt files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited...
Solaris pfexec Upgrade Shell
This module attempts to upgrade a shell session to UID 0 using pfexec. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solaris pfexec Upgrade Shell', 'Description' = %q This module attempts to...
Ubiquiti Discovery Scanner
Detects Ubiquiti devices using a UDP discovery service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ubiquiti Discovery Scanner', 'Description' = 'Detects Ubiquiti devices using a UDP discove...
C2S DVR Management Password Disclosure
C2S DVR allows an unauthenticated user to disclose the username & password by requesting the javascript page 'read.cgi?page=2'. This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S. This module requires Metasploit: https://metasploit.com/download Current source:...
John the Ripper Windows Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired as hashed files loot or raw LANMAN/NTLM hashes hashdump. The goal of this module is to find trivial passwords in a short amount of time. To crack complex passwords or use large wordlists, John the Ripper should be...
Nuuo Central Management Server Authenticated Arbitrary File Download
The Nuuo Central Management Server allows an authenticated user to download files from the installation folder. This functionality can be abused to obtain administrative credentials, the SQL Server database password and arbitrary files off the system with directory traversal. The module will...
Nuuo Central Management Authenticated SQL Server SQLi
The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xpcmdshell can be enabled and abused to achieve code execution. This module will...
Nuuo Central Management Server User Session Token Bruteforce
Nuuo Central Management Server below version 2.4 has a flaw where it sends the heap address of the user object instead of a real session number when a user logs in. This can be used to reduce the keyspace for the session number from 10 million to 1.2 million, and with a bit of analysis it can be...
Nuuo Central Management Server Authenticated Arbitrary File Upload
The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the CMS Server. The vulnerability is in the "FileName" parameter, which accepts directory traversal ..\..\ characters. Therefore, this function can be abused to overwrite any files in the installation drive of...
SAP Management Console List Config Files
This module attempts to list the config files through the SAP Management Console SOAP Interface. Returns a list of config files found in the SAP configuration with its absolute paths inside the server filesystem. This module requires Metasploit: https://metasploit.com/download Current source:...
Unitronics PCOM Client
Unitronics Vision PLCs allow unauthenticated PCOM commands to query PLC registers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Unitronics PCOM Client', 'Description' = %q Unitronics Vision...