glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation

This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library glibc dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LDAUDIT environment variable when loading setuid executables...

Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow

This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16 by using the import command option to import a specially crafted xml file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Command Shell, Reverse UDP (via python)

Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...

Windows Command Shell, Reverse UDP Stager with UUID Support

Spawn a piped command shell staged. Connect back to the attacker with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 312 include Msf::Payload::Stager include...

Windows Meterpreter (skape/jt Injection), Reverse UDP Stager with UUID Support

Inject the meterpreter server DLL staged. Connect back to the attacker with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 312 include Msf::Payload::Stager include...

Reflective DLL Injection, Reverse UDP Stager with UUID Support

Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 312 include Msf::Payload::Stager include...

Unix Command Shell, Bind UDP (via socat)

Creates an interactive shell via socat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 70 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo...

VNC Server (Reflective Injection), Reverse UDP Stager with UUID Support

Inject a VNC Dll via a reflective loader staged. Connect back to the attacker with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 312 include Msf::Payload::Stager...

Unix Command Shell, Reverse UDP (via socat)

Creates an interactive shell via socat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 87 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinfo...

Windows Inject DLL, Reverse UDP Stager with UUID Support

Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 312 include Msf::Payload::Stager...

Windows Upload/Execute, Reverse UDP Stager with UUID Support

Uploads an executable and runs it staged. Connect back to the attacker with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 312 include Msf::Payload::Stager include...

Windows Meterpreter (Reflective Injection), Reverse UDP Stager with UUID Support

Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Connect back to the attacker with UUID Support This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 31...

Web browsers HSTS entries eraser

This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox, Google Chrome, Opera, Safari and wget. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Web browse...

AsusWRT LAN Unauthenticated Remote Code Execution

The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special...

Open WAN-to-LAN proxy on AT&T routers

The Arris NVG589 and NVG599 routers configured with AT U-verse firmware 9.2.2h0d83 expose an un-authenticated proxy that allows connecting from WAN to LAN by MAC address. !/usr/bin/env python3 from metasploit import module, probescanner metadata = 'name': 'Open WAN-to-LAN proxy on AT&T routers',...

ABRT raceabrt Privilege Escalation

This module attempts to gain root privileges on Linux systems with a vulnerable version of Automatic Bug Reporting Tool ABRT configured as the crash handler. A race condition allows local users to change ownership of arbitrary files CVE-2015-3315. This module uses a symlink attack on...

Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow

This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16 by using the import command option to import a specially crafted xml file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Apport / ABRT chroot Privilege Escalation

This module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace "container". Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing t...

Juju-run Agent Privilege Escalation

This module attempts to gain root privileges on Juju agent systems running the juju-run agent utility. Juju agent systems running agent tools prior to version 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket to manage software "units" without setting appropriate...

BMC Server Automation RSCD Agent NSH Remote Command Execution

This module exploits a weak access control check in the BMC Server Automation RSCD agent that allows arbitrary operating system commands to be executed without authentication. Note: Under Windows, non-powershell commands may need to be prefixed with 'cmd /c'. This module requires Metasploit:...

NIS bootparamd Domain Name Disclosure

This module discloses the NIS domain name from bootparamd. You must know a client address from the target's bootparams file. Hint: try hosts within the same network range as the target. This module requires Metasploit: https://metasploit.com/download Current source:...

NIS ypserv Map Dumper

This module dumps the specified map from NIS ypserv. The following examples are from ypcat -x: Use "ethers" for map "ethers.byname" Use "aliases" for map "mail.aliases" Use "services" for map "services.byname" Use "protocols" for map "protocols.bynumber" Use "hosts" for map "hosts.byname" Use...

Oracle WebLogic wls-wsat Component Deserialization RCE

The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note th...

HPE iMC dbman RestoreDBase Unauthenticated RCE

This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restore a user-specified database OpCode 10007, however the database connection username i...

HPE iMC dbman RestartDB Unauthenticated RCE

This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restart a user-specified database instance OpCode 10008, however the instance ID is not...

LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow

This module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote code execution. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'LabF nfsAxe 3.7 FTP Client Stack Buffer...

pfSense authenticated graph status RCE

pfSense, a free BSD based open source firewall distribution, version 'pfSense authenticated graph status RCE', 'Description' = %q pfSense, a free BSD based open source firewall distribution, version 'Security-Assessment.com', discovery 'Milton Valencia', metasploit module...

Ayukov NFTP FTP Client Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP Client 2.0 and earlier. By responding with a long string of data for the SYST request, it is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote code exeuction under the...

Brother Debut http Denial Of Service

The Debut embedded HTTP server 'Brother Debut http Denial Of Service', 'Description' = %q The Debut embedded HTTP server MSFLICENSE, 'Author' = 'z00n ', vulnerability disclosure 'h00die' metasploit module , 'References' = 'CVE', '2017-16249' , 'URL',...

Postfixadmin Protected Alias Deletion Vulnerability

Postfixadmin installations between 2.91 and 3.0.1 do not check if an admin is allowed to delete protected aliases. This vulnerability can be used to redirect protected aliases to an other mail address. Eg. rewrite the postmaster@domain alias This module requires Metasploit:...

Unix Command Shell, Reverse TCP (stub)

Creates an interactive shell through an inbound connection stub only, no payload This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include...

Unix Command Shell, Bind TCP (stub)

Listen for a connection and spawn a command shell stub only, no payload This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Single include...

Cambium ePMP 1000 Account Password Reset

This module exploits an access control vulnerability in Cambium ePMP device management portal. It requires any one of the following non-admin login credentials - installer/installer, home/home - to reset password of other existing users including 'admin'. All versions 'Cambium ePMP 1000 Account...

Cambium ePMP 1000 'get_chart' Command Injection (v3.1-3.5-RC7)

This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 v3.1-3.5-RC7 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands. This module requires Metasploit:...

Cambium ePMP 1000 'ping' Command Injection (up to v2.5)

This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 Authors Karn Ganeshen This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Cambium ePMP 1000 'ping' Command Injection ...

Cambium ePMP1000 'get_chart' Shell via Command Injection (v3.1-3.5-RC7)

This module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell. The module has been tested on versions 3.1-3.5-RC7. Thi...

Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution

This exploit module exploits the SNMP write access configuration ability of SNMP-EXTEND-MIB to configure MIB extensions and lead to remote code execution. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'snmp'...

Commvault Communications Service (cvd) Command Injection

This module exploits a command injection vulnerability discovered in Commvault Service v11 SP5 and earlier versions tested in v11 SP5 and v10. The vulnerability exists in the cvd.exe service and allows an attacker to execute arbitrary commands in the context of the service. By default, the...

Cambium ePMP1000 'ping' Shell via Command Injection (up to v2.5)

This module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell. This module requires Metasploit:...

Linksys WVBR0-25 User-Agent Command Execution

The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie cable boxes to the Genie DVR, is vulnerable to OS command injection in version 'Linksys WVBR0-25 User-Agent Command Execution', 'Description' = %q The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to...

MQTT Authentication Scanner

This module attempts to authenticate to MQTT. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require 'metasploit/framework/loginscanner/mqtt' class MetasploitModule...

phpCollab 2.5.1 Unauthenticated File Upload

This module exploits a file upload vulnerability in phpCollab 2.5.1 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the web server user. The exploit has been tested on Ubuntu 16.04.3 64-bit This module requires Metasploit:...

Apple iOS aarch64 Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 152 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...

Cambium cnPilot r200/r201 Command Execution as 'root'

Cambium cnPilot r200/r201 device software versions 4.2.3-R4 to 4.3.3-R4, contain an undocumented, backdoor 'root' shell. This shell is accessible via a specific url, to any authenticated user. The module uses this shell to execute arbitrary system commands as 'root'. This module requires...

Cambium cnPilot r200/r201 SNMP Enumeration

Cambium cnPilot r200/r201 devices can be administered using SNMP. The device configuration contains IP addresses, keys, passwords, & lots of juicy information. This module exploits an access control flaw, which allows remotely extracting sensitive information such as account passwords, WiFI PSK, ...

Cambium cnPilot r200/r201 Login Scanner and Config Dump

This module scans for Cambium cnPilot r200/r201 management login portals, attempts to identify valid credentials, and dump device configuration. The device has at least two 2 users - admin and user. Due to an access control vulnerability, it is possible for 'user' account to access full device...

Cambium ePMP 1000 SNMP Enumeration

Cambium devices ePMP, PMP, Force, & others can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuratio...

Cambium cnPilot r200/r201 File Path Traversal

This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewor...

GoAhead Web Server LD_PRELOAD Arbitrary Module Load

This module triggers an arbitrary shared library load vulnerability in GoAhead web server versions between 2.5 and that have the CGI module enabled. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModu...

DirectAdmin Web Control Panel Login Utility

This module will attempt to authenticate to a DirectAdmin Web Control Panel. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/directadmin' require...