6845 matches found
VX Search Enterprise GET Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in the web interface of VX Search Enterprise v9.5.12, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1 x86. This...
Sync Breeze Enterprise GET Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28, and v10.1.16, caused by improper bounds checking of the request in HTTP GET and POST requests sent to the built-in web server. This module has been tested successfull...
Moxa Device Credential Retrieval
The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines. Many devices with firmware versions older than 2017 or late 2016 allow admin credentials and SNMP read and read/wri...
Octopus Deploy Authenticated Code Execution
This module can be used to execute a payload on an Octopus Deploy server given valid credentials or an API key. The payload is executed as a powershell script step on the Octopus Deploy server during a deployment. This module requires Metasploit: https://metasploit.com/download Current source:...
BuilderEngine Arbitrary File Upload Vulnerability and execution
This module exploits a vulnerability found in BuilderEngine 3.5.0 via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious file, which would result in arbitrary remote code execution under the context of the web server. This module requires Metasploit:...
Multi Manage Network Route via Meterpreter Session
This module manages session routing via an existing Meterpreter session. It enables other modules to 'pivot' through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to...
WordPress PHPMailer Host Header Command Injection
This module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered...
Intel AMT Digest Authentication Bypass Scanner
This module scans for Intel Active Management Technology endpoints and attempts to bypass authentication using a blank HTTP digest CVE-2017-5689. This service can be found on ports 16992, 16993 tls, 623, and 624 tls. This module requires Metasploit: https://metasploit.com/download Current source:...
Serviio Media Server checkStreamUrl Command Execution
This module exploits an unauthenticated remote command execution vulnerability in the console component of Serviio Media Server versions 1.4 to 1.8 on Windows operating systems. The console service on port 23423 by default exposes a REST API which which does not require authentication. The 'actio...
Qmail SMTP Bash Environment Variable Injection (Shellshock)
This module exploits a shellshock vulnerability on Qmail, a public domain MTA written in C that runs on Unix systems. Due to the lack of validation on the MAIL FROM field, it is possible to execute shell code on a system with a vulnerable BASH Shellshock. This flaw works on the latest Qmail...
Crypttech CryptoLog Remote Code Execution
This module exploits a SQL injection and command injection vulnerability in the PHP version of CryptoLog. An unauthenticated user can execute a terminal command under the context of the web user. These vulnerabilities are no longer present in the ASP.NET version CryptoLog, available since 2009...
Module to Probe Different Data Points in a CAN Packet
Scans between two CAN IDs and writes data at each byte position. It will either write a set byte value Default 0xFF or iterate through all possible values of that byte position takes much longer. Does not check for responses and is basically a simple blind fuzzer. This module requires Metasploit:...
Unix Command Shell, Reverse TCP (via ncat)
Creates an interactive shell via ncat, utilizing ssl mode This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 42 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions...
WordPress Traversal Directory DoS
Cross-site request forgery CSRF vulnerability in the wpajaxupdateplugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the checkajaxreferer...
MediaWiki SyntaxHighlight extension option injection vulnerability
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create & execute a PHP file in the document root. The USERNAME & PASSWORD options are only needed if the Wiki is configured as private. This vulnerability affects any MediaWiki...
Ghostscript Type Confusion Arbitrary Command Execution
This module exploits a type confusion vulnerability in Ghostscript that can be exploited to obtain arbitrary command execution. This vulnerability affects Ghostscript versions 9.21 and earlier and can be exploited through libraries such as ImageMagick and Pillow. This module requires Metasploit:...
Dup Scout Enterprise GET Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in the web interface of Dup Scout Enterprise versions 'Dup Scout Enterprise GET Buffer Overflow', 'Description' = %q This module exploits a stack-based buffer overflow vulnerability in the web interface of Dup Scout Enterprise...
Gnome-Keyring Dump
Use libgnome-keyring to extract network passwords for the current user. This module does not require root privileges to run. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'bindata' class MetasploitModule...
MS17-010 SMB RCE Detection
Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUSINSUFFSERVERRESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-0...
WePresent WiPG-1000 Command Injection
This module exploits a command injection vulnerability in an undocumented CGI file in several versions of the WePresent WiPG-1000 devices. Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...
Disk Sorter Enterprise GET Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in the web interface of Disk Sorter Enterprise v9.5.12, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1 x86. This...
Mercurial Custom hg-ssh Wrapper Remote Code Exec
This module takes advantage of custom hg-ssh wrapper implementations that don't adequately validate parameters passed to the hg binary, allowing users to trigger a Python Debugger session, which allows arbitrary Python code execution. This module requires Metasploit: https://metasploit.com/downlo...
Upload and Execute
Push a file and execute it. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Upload and Execute', 'Description' = %qPush a file and execute it., 'Author' = 'egypt', 'License' = MSFLICENSE,...
Huawei HG532n Command Injection
This module exploits a command injection vulnerability in the Huawei HG532n routers provided by TE-Data Egypt, leading to a root shell. The router's web interface has two kinds of logins, a "limited" user:user login given to all customers and an admin mode. The limited mode is used here to expose...
Microsoft Office Word Malicious Hta Execution
This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a https request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in...
JCL to Escalate Privileges
Elevate privileges for user. Adds SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using an unsecured/updateable APF authorized library APFLIB and updating the user's ACEE using this program/library. Note: This privesc only works with z/OS systems using RACF, no other ESM is...
Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution
This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance. The first is an authentication bypass vulnerability via a file delete in logoff.cgi which resets the admin password back to 'admin' upon a reboot CVE-2016-7552. The second is a cmdi flaw using the timezone...
Varnish Cache CLI File Read
This module attempts to read the first line of a file by abusing the error message when compiling a file with vcl.load. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/tcp/client' require...
Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability
This module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers & Electricity Meters to perform arbitrary command execution as 'root'. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework cla...
Quest Privilege Manager pmmasterd Buffer Overflow
This modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems. The vulnerability exists in the pmmasterd daemon, and can only triggered when the host has been configured as a policy server Privilege Manager for Un...
Multi Gather IRSSI IRC Password(s)
This module grabs IRSSI IRC credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather IRSSI IRC Passwords', 'Description' = %q This module grabs IRSSI IRC credentials. , 'Author...
Haraka SMTP Command Injection
The Haraka SMTP server comes with a plugin for processing attachments. Versions before 2.8.9 can be vulnerable to command injection !/usr/bin/env python3 Vendor Homepage: https://haraka.github.io/ Software Link: https://github.com/haraka/Haraka Exploit github: http://github.com/outflankbv/Exploit...
Microsoft IIS WebDav ScStoragePathFromUrl Overflow
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services IIS 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: Authors Zhiniang Peng Chen Wu Dominic Chell firefart...
Github Enterprise Default Session Secret And Deserialization Vulnerability
This module exploits two security issues in Github Enterprise, version 2.8.0 - 2.8.6. The first is that the session management uses a hard-coded secret value, which can be abused to sign a serialized malicious Ruby object. The second problem is due to the use of unsafe deserialization, which allo...
SolarWinds LEM Default SSH Password Remote Code Execution
This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricte...
Moxa UDP Device Discovery
The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines. A discovery packet compels a Moxa device to respond to the sender with some basic device information that is needed...
Shodan Honeyscore Client
This module uses the shodan API to check if a server is a honeypot or not. The api returns a score from 0.0 to 1.0. 1.0 being a honeypot. A shodan API key is needed for this module to work properly. If you don't have an account, go here to register: https://account.shodan.io/register For more inf...
RF Transceiver Transmitter
This module powers an HWBridge-connected radio transceiver, effectively transmitting on the frequency set by the FREQ option. NOTE: Users of this module should be aware of their local laws, regulations, and licensing requirements for transmitting on any given radio frequency. This module requires...
Brute Force AM/OOK (ie: Garage Doors)
Post Module for HWBridge RFTranscievers. Brute forces AM OOK or raw binary signals. This is a port of the rfpwnon tool by Corey Harding. https://github.com/exploitagency/github-rfpwnon/blob/master/rfpwnon.py This module requires Metasploit: https://metasploit.com/download Current source:...
DnaLIMS Directory Traversal
This module exploits a directory traversal vulnerability found in dnaLIMS. Due to the way the viewAppletFsa.cgi script handles the 'secID' parameter, it is possible to read a file outside the www directory. This module requires Metasploit: https://metasploit.com/download Current source:...
Launches Hosts in AWS
This module will attempt to launch an AWS instances hosts in EC2. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/aws/client' class MetasploitModule "Launches Hosts in AWS", 'Description'...
SysGauge SMTP Validation Buffer Overflow
This module will setup an SMTP server expecting a connection from SysGauge 1.5.18 via its SMTP server validation. The module sends a malicious response along in the 220 service ready response and exploits the client, resulting in an unprivileged shell. This module requires Metasploit:...
IBM WebSphere RCE Java Deserialization Vulnerability
This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization call of unauthenticated Java objects exists to the Apache Commons Collections ACC library, which allows remote arbitrary code execution. Authentication is not required in order to exploit this...
Apache Struts Jakarta Multipart Parser OGNL Injection
This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cm...
dnaLIMS Admin Module Command Execution
This module utilizes an administrative module which allows for command execution. This page is completely unprotected from any authentication when given a POST request. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Easy File Sharing FTP Server 3.6 Directory Traversal
This module exploits a directory traversal vulnerability found in Easy File Sharing FTP Server Version 3.6 and Earlier. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as '../' This modul...
MMS Client
This module sends an MMS message to multiple phones of the same carrier. You can use it to send a malicious attachment to phones. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MMS Client',...
Sends Beacons to Scan for Active ZigBee Networks
Post Module to send beacon signals to the broadcast address while channel hopping This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Sends Beacons to Scan for Active ZigBee Networks', 'Description...
DC/OS Marathon UI Docker Exploit
Utilizing the DCOS Cluster's Marathon UI, an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container. As the docker container executes command as uid 0 it is honored by the host operating system allowing...
Netgear DGN2200 dnslookup.cgi Command Injection
This module exploits a command injection vulnerablity in NETGEAR DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request with valid login details. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require...