6845 matches found
Apache CouchDB Arbitrary Command Execution
CouchDB administrative users can configure the database server via HTTPS. Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitra...
Etcd Keys API Information Gathering
This module queries the etcd API to recursively retrieve all of the stored key value pairs. Etcd by default does not utilize authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Etcd...
lastore-daemon D-Bus Privilege Escalation
This module attempts to gain root privileges on Deepin Linux systems by using lastore-daemon to install a package. The lastore-daemon D-Bus configuration on Deepin Linux permits any user in the sudo group to install arbitrary system packages without providing a password, resulting in code executi...
Linux BPF Sign Extension Local Privilege Escalation
Linux kernel prior to 4.14.8 contains a vulnerability in the Berkeley Packet Filter BPF verifier. The checkaluop function performs incorrect sign extension which allows the verifier to be bypassed, leading to arbitrary kernel read/write. The target system must be compiled with BPF support and...
ifwatchd Privilege Escalation
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in...
Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)
This module will try to find Service Principal Names that are associated with normal user accounts. Since normal accounts' passwords tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for a...
TYPO3 News Module SQL Injection
This module exploits a SQL Injection vulnerability In TYPO3 NewsController.php in the news module 5.3.2 and earlier. It allows an unauthenticated user to execute arbitrary SQL commands via vectors involving overwriteDemand and OrderByAllowed. The SQL injection can be used to obtain password hashe...
ClipBucket beats_uploader Unauthenticated Arbitrary File Upload
This module exploits a vulnerability found in ClipBucket versions before 4.0.0 Release 4902. A malicious file can be uploaded using an unauthenticated arbitrary file upload vulnerability. It is possible for an attacker to upload a malicious script to issue operating system commands. This issue is...
Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service
This module sends a specially crafted packet to port 50000/UDP causing a denial of service of the affected Siemens SIPROTEC 4 and SIPROTEC Compact 'Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service', 'Description' = %q This module sends a specially crafted packet t...
ManageEngine Applications Manager Remote Code Execution
This module exploits command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates suppli...
Memcached UDP Version Scanner
This module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic "version" request is executed to obtain the version of memcached. This module requires Metasploit: https://metasploit.com/download Current source:...
GitStack Unsanitized Argument RCE
This module exploits a remote code execution vulnerability that exists in GitStack through v2.3.10, caused by an unsanitized argument being passed to an exec function call. This module has been tested on GitStack v2.3.10. This module requires Metasploit: https://metasploit.com/download Current...
Joomla Component Fields SQLi Remote Code Execution
This module exploits a SQL injection vulnerability in the comfields component, which was introduced to the core of Joomla in version 3.7.0. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Jooml...
NETGEAR TelnetEnable
This module sends a magic packet to a NETGEAR device to enable telnetd. Upon successful connect, a root shell should be presented to the user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
Memcached Stats Amplification Scanner
This module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic "stats" request is executed to check if an amplification attack is possible against a third party. This module requires Metasploit: https://metasploit.com/download Current source:...
Exodus Wallet (ElectronJS Framework) remote Code Execution
This module exploits a Remote Code Execution vulnerability in Exodus Wallet, a vulnerability in the ElectronJS Framework protocol handler can be used to get arbitrary command execution if the user clicks on a specially crafted URL. This module requires Metasploit: https://metasploit.com/download...
GitStack Unauthenticated REST API Requests
This modules exploits unauthenticated REST API requests in GitStack through v2.3.10. The module supports requests for listing users of the application and listing available repositories. Additionally, the module can create a user and add the user to the application's repositories. This module has...
Juniper Gather Device General Information
This module collects a Juniper ScreenOS and JunOS device information and configuration...
Windows Inject DLL, Windows x86 Bind Named Pipe Stager
Inject a custom DLL into the exploited process. Listen for a pipe connection Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 349 include Msf::Payload::Stager include...
VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
Inject a VNC Dll via a reflective loader staged. Listen for a pipe connection Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 349 include Msf::Payload::Stager include...
Windows Command Shell, Windows x86 Bind Named Pipe Stager
Spawn a piped command shell staged. Listen for a pipe connection Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 349 include Msf::Payload::Stager include...
Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for a pipe connection Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module...
Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
Uploads an executable and runs it staged. Listen for a pipe connection Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 349 include Msf::Payload::Stager include...
Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
Inject the meterpreter server DLL staged. Listen for a pipe connection Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 349 include Msf::Payload::Stager include...
Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
Inject a DLL via a reflective loader. Listen for a pipe connection Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 349 include Msf::Payload::Stager include...
Atlassian Jira Authenticated Upload Code Execution
This module can be used to execute a payload on Atlassian Jira via the Universal Plugin ManagerUPM. The module requires valid login credentials to an account that has access to the plugin manager. The payload is uploaded as a JAR archive containing a servlet using a POST request against the UPM...
CloudMe Sync v1.10.9
This module exploits a stack-based buffer overflow vulnerability in CloudMe Sync v1.10.9 client application. This module has been tested successfully on Windows 7 SP1 x86. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...
Windows Manage RID Hijacking
This module will create an entry on the target by modifying some properties of an existing account. It will change the account attributes by setting a Relative Identifier RID, which should be owned by one existing account on the destination machine. Taking advantage of some Windows Local Users...
Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
Spawn a piped command shell Windows x64 staged. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 585 include Msf::Payload::Stager...
Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
Inject a VNC Dll via a reflective loader Windows x64 staged. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 585 include...
Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Disk Savvy Enterprise v10.4.18
This module exploits a stack-based buffer overflow vulnerability in Disk Savvy Enterprise v10.4.18, caused by improper bounds checking of the request sent to the built-in server. This module has been tested successfully on Windows 7 SP1 x86. This module requires Metasploit:...
Eclipse Equinox OSGi Console Command Execution
Exploit Eclipse Equinox OSGi Open Service Gateway initiative console 'fork' command to execute arbitrary commands on the remote system. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'base64' class...
Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
Spawn a piped command shell Windows x64 staged. Listen for a pipe connection Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 481 include Msf::Payload::Stager include...
Windows Meterpreter Shell, Bind Named Pipe Inline
Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 177734 include Msf::Payload::TransportConfig...
Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for a pipe connection Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module...
Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
Inject a VNC Dll via a reflective loader Windows x64 staged. Listen for a pipe connection Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 481 include Msf::Payload::Stag...
Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 203846 include Msf::Payload::TransportConfig...
glibc '$ORIGIN' Expansion Privilege Escalation
This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library glibc dynamic linker. glibc ld.so versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LDAUDIT environment variable when loading setuid executables which...
HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation
This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer overflow in the Connection HTTP header handling by the web server. Exploiting this vulnerability gives full access to the REST API, allowing arbitrary accounts creation. This module requires Metasploit:...
Linux Meterpreter, Reverse TCP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1519544 include...
Linux Meterpreter, Reverse HTTPS Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1519544 include...
Linux Meterpreter, Reverse HTTP Inline
Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 1519544 include...
Claymore Dual GPU Miner Format String dos attack
Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing a denial of service. !/usr/bin/env python3 -- coding: utf-8 - import socket import json...
Ulterius Server File Download Vulnerability
This module exploits a directory traversal vulnerability in Ulterius Server 'Ulterius Server File Download Vulnerability', 'Description' = %q This module exploits a directory traversal vulnerability in Ulterius Server 'Rick Osgood', Vulnerability discovery and PoC 'Jacob Robles' Metasploit module...
MagniComp SysInfo mcsiwrapper Privilege Escalation
This module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. The .mcsiwrapper suid executable allows loading a config file using the '--configfile' argument. The 'ExecPath' config directive is used to set the executable load path. This module abuses...
Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5
Some TLS implementations handle errors processing RSA key exchanges and encryption PKCS 1 v1.5 messages in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when th...
ASUS infosvr Auth Bypass Command Execution
This module exploits an authentication bypass vulnerability in the infosvr service running on UDP port 9999 on various ASUS routers to execute arbitrary commands as root. This module launches the BusyBox Telnet daemon on the port specified in the TelnetPort option to gain an interactive remote...
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion...
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion betwee...