6845 matches found
Microsoft Excel .SLK Payload Delivery
This module generates a download and execute Powershell command to be placed in an .SLK Excel spreadsheet. When executed, it will retrieve a payload via HTTP from a web server. When the file is opened, the user will be prompted to "Enable Content." Once this is pressed, the payload will execute...
AddressSanitizer (ASan) SUID Executable Privilege Escalation
This module attempts to gain root privileges on Linux systems using setuid executables compiled with AddressSanitizer ASan. ASan configuration related environment variables are permitted when executing setuid executables built with libasan. The logpath option can be set using the ASANOPTIONS...
Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)
This module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string. Windows 10 after version 1803, April 2018 update, build 17134 and all versions of Windows Server 2019 are not vulnerable. This module requires...
Imperva SecureSphere PWS Command Injection
This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent...
Adobe ColdFusion CKEditor unrestricted file upload
A file upload vulnerability in the CKEditor of Adobe ColdFusion 11 Update 14 and earlier, ColdFusion 2016 Update 6 and earlier, and ColdFusion 2018 July 12 release allows unauthenticated remote attackers to upload and execute JSP files through the filemanager plugin. Tested on Adobe ColdFusion...
blueman set_dhcp_handler D-Bus Privilege Escalation
This module attempts to gain root privileges by exploiting a Python code injection vulnerability in blueman versions prior to 2.0.3. The org.blueman.Mechanism.EnableNetwork D-Bus interface exposes the setdhcphandler function which uses user input in a call to eval, without sanitization, resulting...
Windows Gather PSReadline History
Gathers Power Shell history data from the target machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather PSReadline History', 'Description' = %q Gathers Power Shell history data...
Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion
This module exploits a type confusion on Adobe Flash Player, which was originally found being successfully exploited in the wild. This module has been tested successfully on: macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182, Firefox and Adobe Flash Player 21.0.0.182. This module...
Mailcleaner Remote Code Execution
This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root. /admin/managetracing/search/search endpoint takes several user inputs and then...
DoS Exploitation of Allen-Bradley's Legacy Protocol (PCCC)
A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands PCCC packet to the controller that could potentially cause the controller to enter a DoS condition. MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA,...
Oracle Weblogic Server Deserialization RCE - RMI UnicastRef
An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object sun.rmi.server.UnicastRef to the interface to execute code on vulnerable hosts. This module requires Metasploit: https://metasploit.com/download Current source:...
Oracle Weblogic Server Deserialization RCE - MarshalledObject
An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object weblogic.corba.utils.MarshalledObject to the interface to execute code on vulnerable hosts. This module requires Metasploit: https://metasploit.com/download Current source:...
Oracle Weblogic Server Deserialization RCE - Raw Object
An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object weblogic.jms.common.StreamMessageImpl to the interface to execute code on vulnerable hosts. This module requires Metasploit: https://metasploit.com/download Current source:...
Snap Creek Duplicator WordPress plugin code injection
When the WordPress plugin Snap Creek Duplicator restores a backup, it leaves dangerous files in the filesystem such as installer.php and installer-backup.php. These files allow anyone to call a function that overwrite the wp-config.php file AND this function does not sanitize POST parameters befo...
Erlang Port Mapper Daemon Cookie RCE
The erlang port mapper daemon is used to coordinate distributed erlang instances. Should an attacker get the authentication cookie RCE is trivial. Usually, this cookie is named ".erlang.cookie" and varies on location. This module requires Metasploit: https://metasploit.com/download Current source...
FreeBSD Intel SYSRET Privilege Escalation
This module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault GPF when executing a SYSRET instruction with a non-canonical address in the RCX register...
Chrome Gather Cookies
Read all cookies from the Default Chrome profile of the target user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Chrome Gather Cookies', 'Description' = 'Read all cookies from the Default...
NUUO NVRmini upgrade_handle.php Remote Command Execution
This exploits a vulnerability in the web application of NUUO NVRmini IP camera, which can be done by triggering the writeuploaddir command in the upgradehandle.php file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Exchange email enumeration
Error-based user enumeration for Office 365 integrated email addresses //usr/bin/env go run "$0" "$@"; exit "$?" package main import "crypto/tls" "fmt" "metasploit/module" "msmail" "net/http" "strconv" "strings" "sync" func main metadata := &module.Metadata Name: "Exchange email enumeration",...
On premise user enumeration
On premise enumeration of valid exchange users //usr/bin/env go run "$0" "$@"; exit "$?" package main import "crypto/tls" "metasploit/module" "msmail" "net/http" "sort" "strconv" "sync" "time" func main metadata := &module.Metadata Name: "On premise user enumeration", Description: "On premise...
Emacs movemail Privilege Escalation
This module exploits a SUID installation of the Emacs movemail utility to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local. The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg. This module requires Metasploit: https://metasploit.com/download Current source:...
Linux x64 Command Shell, Bind TCP Inline (IPv6)
Listen for an IPv6 connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 94 include Msf::Payload::Single include Msf::Payload::Linux::X64::Prepends...
Disable Windows Defender Signatures
This module with appropriate rights let to use the Windows Defender command-line utility a run and automation tool mpcmdrun.exe in order to disable all the signatures available installed for the compromised machine. The tool is prominently used for scheduling scans and updating the signature or...
Vulnerable domain identification
Identifying potentially vulnerable Exchange endpoints //usr/bin/env go run "$0" "$@"; exit "$?" package main import "metasploit/module" "msmail" "net" "strings" func main metadata := &module.Metadata Name: "Vulnerable domain identification", Description: "Identifying potentially vulnerable Exchan...
CyberLink LabelPrint 2.5 Stack Buffer Overflow
This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below. The vulnerability is triggered when opening a .lpp project file containing overly long string characters via open file menu. This results in overwriting a structured exception handler record and take over the...
Linux x64 Command Shell, Reverse TCP Inline (IPv6)
Connect back to attacker and spawn a command shell over IPv6 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 90 include Msf::Payload::Single include...
WordPress WP GDPR Compliance Plugin Privilege Escalation
The Wordpress GDPR Compliance plugin 'WordPress WP GDPR Compliance Plugin Privilege Escalation', 'Description' = %q The Wordpress GDPR Compliance plugin = v1.4.2 allows unauthenticated users to set wordpress administration options by overwriting values within the database. The vulnerability is...
Unitrends Enterprise Backup bpserverd Privilege Escalation
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This is very similar to...
Xorg X11 Server SUID modulepath Privilege Escalation
This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 'Xorg X11 Server SUID modulepath Privilege Escalation', 'Description' = %q This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 1.20.3. A permission check flaw exists for...
Linux Nested User Namespace idmap Limit Local Privilege Escalation
This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root CVE-2018-18955. The target system must have unprivileged user namespaces enabled and the...
php imap_open Remote Code Execution
The imapopen function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imapopen to execute arbitrary commands. While many custom...
Mac OS X libxpc MITM Privilege Escalation
This module exploits a vulnerablity in libxpc on macOS 'Mac OS X libxpc MITM Privilege Escalation', 'Description' = %q This module exploits a vulnerablity in libxpc on macOS = 10.13.3 The tasksetspecialport API allows callers to overwrite their bootstrap port, which is used to communicate with...
Safari Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e....
Xorg X11 Server SUID logfile Privilege Escalation
This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code...
HP Intelligent Management Java Deserialization RCE
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebDMDebugServlet, which listens on TCP...
Polycom Command Shell Authorization Bypass
The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prom...
iOS Text Gatherer
This module collects text messages from iPhones. Tested on iOS 10.3.3 on an iPhone 5. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'iOS Text Gatherer', 'Description' = %q This module collects...
iOS Image Gatherer
This module collects images from iPhones. Module was tested on iOS 10.3.3 on an iPhone 5. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'iOS Image Gatherer', 'Description' = %q This module...
IBM WebSphere MQ Login Check
This module can be used to bruteforce usernames that can be used to connect to a queue manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try. This module requires Metasploit: https://metasploit.com/download Current source:...
Identify Queue Manager Name and MQ Version
Run this auxiliary against the listening port of an IBM MQ Queue Manager to identify its name and version. Any channel type can be used to get this information as long as the name of the channel is valid. This module requires Metasploit: https://metasploit.com/download Current source:...
IBM WebSphere MQ Channel Name Bruteforce
This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
WebExec Authenticated User Code Execution
This module uses a valid username and password of any level or password hash to execute an arbitrary payload. This module is similar to the "psexec" module, except allows any non-guest account by default. This module requires Metasploit: https://metasploit.com/download Current source:...
WebEx Remote Command Execution Utility
This module enables the execution of a single command as System by exploiting a remote code execution vulnerability in Cisco's WebEx client software. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
WebEx Local Service Permissions Exploit
This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM, can be used to run arbitrary commands locally, and can be started by limited users in default installations. This module requires Metasploit: https://metasploit.com/download Current source:...
blueimp's jQuery (Arbitrary) File Upload
This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions "blueimp's jQuery Arbitrary File Upload", 'Description' = %q This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File...
Morris Worm fingerd Stack Buffer Overflow
This module exploits a stack buffer overflow in fingerd on 4.3BSD. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg. Currently, only bsd/vax/shellreversetcp is supported. This module requires Metasploit:...
BSD Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 100 This is so one-off that we define it here ARCHVAX = 'vax' include...
Windows Persistent Service Installer
This Module will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required. This module requires Metasploit:...
QNX qconn Command Execution
This module uses the qconn daemon on QNX systems to gain a shell. The QNX qconn daemon does not require authentication and allows remote users to execute arbitrary operating system commands. This module has been tested successfully on QNX Neutrino 6.5.0 x86 and 6.5.0 SP1 x86. This module requires...
Morris Worm sendmail Debug Mode Shell Escape
This module exploits sendmail's well-known historical debug mode to escape to a shell and execute commands in the SMTP RCPT TO command. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg. Currently, only...