6845 matches found
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1061912 include...
WebKitGTK+ WebKitFaviconDatabase DoS
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it could lead to application crash, resulting in denial of service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
BADPDF Malicious PDF Creator
This module can either creates a blank PDF file which contains a UNC link which can be used to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary code into an existing PDF document if possible. This module requires Metasploit:...
LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator
Generates a Malicious ODT File which can be used with auxiliary/server/capture/smb or similar to capture hashes. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'base64' require 'rex/zip' class MetasploitModul...
Windows SMB Multi Dropper
This module dependent on the given filename extension creates either a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference to the specified remote host, causing SMB connections to be initiated from any user that views the file. This module requires Metasploit:...
HID discoveryd command_blink_on Unauthenticated RCE
This module exploits an unauthenticated remote command execution vulnerability in the discoveryd service exposed by HID VertX and Edge door controllers. This module was tested successfully on a HID Edge model EH400 with firmware version 2.3.1.603 Build 04/23/2012. This module requires Metasploit:...
marked npm module "heading" ReDoS
This module exploits a Regular Expression Denial of Service vulnerability in the npm module "marked". The vulnerable portion of code that this module targets is in the "heading" regular expression. Web applications that use "marked" for generating html from markdown are vulnerable. Versions up to...
Cambium ePMP 1000 (up to v2.5) Arbitrary Command Execution
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 Authors Karn Ganeshen...
John the Ripper Password Cracker (Fast Mode)
This module uses John the Ripper to identify weak passwords that have been acquired as hashed files loot or raw LANMAN/NTLM hashes hashdump. The goal of this module is to find trivial passwords in a short amount of time. To crack complex passwords or use large wordlists, John the Ripper should be...
Cambium ePMP SNMP Enumeration
Cambium devices ePMP, PMP, Force, & others can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuratio...
Teradata ODBC SQL Query Module
SQL query module for ODBC connections to local Teradata databases. Port specification TCP 1025 by default is not necessary for ODBC connections. Requires ODBC driver and Python Teradata module. !/usr/bin/env python3 -- coding: utf-8 -- 2018-05-09 14-15 Standard Modules import logging Extra Module...
Teradata ODBC Login Scanner Module
Login scanner module for ODBC connections to Teradata databases. Port specification TCP 1025 by default is not necessary for ODBC connections. Blank passwords are not supported by ODBC connections. Requires ODBC driver and Python Teradata module. !/usr/bin/env python3 -- coding: utf-8 -- 2018-05-...
IBM QRadar SIEM Unauthenticated Remote Code Execution
IBM QRadar SIEM has three vulnerabilities in the Forensics web application that when chained together allow an attacker to achieve unauthenticated remote code execution. The first stage bypasses authentication by fixating session cookies. The second stage uses those authenticated sessions cookies...
DCOM Exec
Performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets including cached creds we try to read as much as we can from the registry and then we save the hives in the target system %SYSTEMROOT%\Temp dir and read the rest of the da...
WMI Exec
A similar approach to psexec but executing commands through WMI. !/usr/bin/env python3 Copyright c 2003-2018 CORE Security Technologies This software is provided under under a slightly modified version of the Apache Software License. See the accompanying LICENSE file for more information. import...
glibc 'realpath()' Privilege Escalation
This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library glibc version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath and create a SUID root shell. The exploit has offsets for glibc...
Flexense HTTP Server Denial Of Service
This module triggers a Denial of Service vulnerability in the Flexense HTTP server. Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values. Multiple Flexense applications that are using...
Nanopool Claymore Dual Miner APIs RCE
This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nanopool Claymore Dual Miner APIs RCE', 'Description' =...
DHCP Client Command Injection (DynoRoot)
This module exploits the DynoRoot vulnerability, a flaw in how the NetworkManager integration script included in the DHCP client in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier processes DHCP options. A malicious DHCP server, or an attacker on the local network able to spoof DHCP...
Unix Command Shell, Reverse TCP (via Ksh)
Connect back and create a command shell via Ksh. Note: Although Ksh is often available, please be aware it isn't usually installed by default. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule...
Hadoop YARN ResourceManager Unauthenticated Command Execution
This module uses Hadoop's standard ResourceManager REST API to execute arbitrary commands on an unsecured Hadoop server. Hadoop administrators should enable Kerberos authentication for these endpoints by changing the 'hadoop.security.authentication' setting in 'core-site.xml' from 'simple' the...
Sudo Commands
This module examines the sudoers configuration for the session user and lists the commands executable via sudo. This module also inspects each command and reports potential avenues for privileged code execution due to poor file system permissions or permitting execution of executables known to be...
D-Link DSL-2750B OS Command Injection
This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices. Vulnerability can be exploited through "cli" parameter that is directly used to invoke "ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03. This module requires Metasploit:...
PlaySMS import.php Authenticated CSV File Upload Code Execution
This module exploits an authenticated file upload remote code excution vulnerability in PlaySMS Version 1.4. This issue is caused by improper file contents handling in import.php aka the Phonebook import feature. Authenticated Users can upload a CSV file containing a malicious payload via vectors...
AF_PACKET chocobo_root Privilege Escalation
This module exploits a race condition and use-after-free in the packetsetring function in net/packet/afpacket.c AFPACKET in the Linux kernel to execute code as root CVE-2016-8655. The bug was initially introduced in 2011 and patched in 2016 in version 4.4.0-53.74, potentially affecting a large...
Android 'su' Privilege Escalation
This module uses the su binary present on rooted devices to run a payload as root. A rooted Android device will contain a su binary often linked with an application that allows the user to run commands as root. This module will use the su binary to execute a command stager as root. The command...
Palo Alto Networks readSessionVarsFromFile() Session Corruption
This module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory,...
Socks5 Proxy Server
This module provides a socks5 proxy server that uses the builtin Metasploit routing to relay connections...
Reliable Datagram Sockets (RDS) Privilege Escalation
This module exploits a vulnerability in the rdspagecopyuser function in net/rds/page.c RDS in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root CVE-2010-3904. This module has been tested successfully on Fedora 13 i686 with kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04...
Nagios XI Chained Remote Code Execution
This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys. 3. The...
Displays wireless SSIDs and PSKs
This module displays all wireless AP creds saved on the target device. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Displays wireless SSIDs and PSKs', 'Description' = %q This module displays...
AF_PACKET packet_set_ring Privilege Escalation
This module exploits a heap-out-of-bounds write in the packetsetring function in net/packet/afpacket.c AFPACKET in the Linux kernel to execute code as root CVE-2017-7308. The bug was initially introduced in 2011 and patched in version 4.10.6, potentially affecting a large number of kernels; howev...
Metasploit msfd Remote Code Execution
Metasploit's msfd-service makes it possible to get a msfconsole-like interface over a TCP socket. If this socket is accessible on a remote interface, an attacker can execute commands on the victim's machine. If msfd is running with higher privileges than the current local user, this module can al...
Metasploit msfd Remote Code Execution via Browser
Metasploit's msfd-service makes it possible to get a msfconsole-like interface over a TCP socket. This module connects to the msfd-socket through the victim's browser. To execute msfconsole-commands in JavaScript from a web application, this module places the payload in the POST-data. These...
xdebug Unauthenticated OS Command Execution
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below. This allows the attacker to execute arbitrary php code as the context of the web user. This module requires Metasploit: https://metasploit.com/download Current source:...
PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. This module was tested...
Libuser roothelper Privilege Escalation
This module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This module makes use of the roothelper.c exploit...
Ruby Base64 Encoder
This encoder returns a base64 string encapsulated in eval%base64 encoded string.unpack%m0.first. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ruby Base64 Encoder', 'Description' = %q This...
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
This module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload UFO. This exploit targets only systems using Ubuntu Trusty / Xenial kernels 4.4.0-21 'Linux Kernel UDP Fragmentation Offset UFO Privilege Escalation', 'Description' = %q This module attempts to gain...
Drupal Drupalgeddon 2 Forms API Property Injection
This module exploits a Drupal property injection in the Forms API. Drupal 6.x, 'Drupal Drupalgeddon 2 Forms API Property Injection', 'Description' = %q This module exploits a Drupal property injection in the Forms API. Drupal 6.x, 'Jasper Mattsson', Vulnerability discovery 'a2u', Proof of concept...
Mantis manage_proj_page PHP Code Execution
Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote Code Execution vulnerability in the sort parameter of the manageprojpage.php page. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Windows Send Probe Request Packets
This module send probe requests through the wlan interface. The ESSID field will be use to set a custom message. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Send Probe Request...
HTTP Client LAN IP Address Gather
This module retrieves a browser's network interface IP addresses using WebRTC. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Client LAN IP Address Gather', 'Description' = %q This module...
osCommerce Installer Unauthenticated Code Execution
If the /install/ directory was not removed, it is possible for an unauthenticated attacker to run the "install4.php" script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it. This module requires...
DCOM Exec
A similar approach to psexec but executing commands through DCOM. You can select different objects to be used to execute the commands. !/usr/bin/env python3 Copyright c 2003-2018 CORE Security Technologies This software is provided under under a slightly modified version of the Apache Software...
Etcd Version Scanner
This module connections to etcd API endpoints, typically on 2379/TCP, and attempts to obtain the version of etcd. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Etcd Version Scanner',...
Steamed Hams
but it's a Metasploit Module This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Steamed Hams', 'Description' = "but it's a Metasploit Module", 'License' = MSFLICENSE, 'Author' = 'bcook-r7' ,...
WebKit not_number defineProperties UAF
This module exploits a UAF vulnerability in WebKit's JavaScriptCore library. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WebKit notnumber defineProperties UAF', 'Description' = %q This modu...
Mac OS X APFS Encrypted Volume Password Disclosure
This module exploits a flaw in OSX 10.13 through 10.13.3 that discloses the passwords of encrypted APFS volumes. In OSX a normal user can use the 'log' command to view the system logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS volume the password is visible in plaintext within...
Windows UAC Protection Bypass (Via Slui File Handler Hijack)
This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under the Current User hive, and inserting a custom command that will get invoked when any binary .exe application is launched. But slui.exe is an auto-elevated binary that is vulnerable to file handler...