NETGEAR WNR2000v5 Administrator Password Recovery

The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery. This vulnerability can be exploited by an unauthenticated attacker who is able to guess the value of a certain timestamp which is in the configuration of the router. Brute forcing the timestamp token might tak...

BAVision IP Camera Web Server Login

This module will attempt to authenticate to an IP camera created by BAVision via the web service. By default, the vendor ships a default credential admin:123456 to its cameras, and the web server does not enforce lockouts in case of a bruteforce attack. This module requires Metasploit:...

Chromecast Wifi Enumeration

This module enumerates wireless access points through Chromecast. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Chromecast Wifi Enumeration', 'Description' = %q This module enumerates wireles...

at(1) Persistence

This module achieves persistence by executing payloads via at1. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'at1 Persistence', 'Description' = %q This module achieves persistence by executin...

Windows 'Run As' Using Powershell

This module will start a process as another user using powershell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows 'Run As' Using Powershell', 'Description' = %q This module will start...

Android get_user/put_user Exploit

This module exploits a missing check in the getuser and putuser API functions in the linux kernel before 3.5.5. The missing checks on these functions allow an unprivileged user to read and write kernel memory. This exploit first reads the kernel memory to identify the commitcreds and ptmxfops...

Windows Local User Account Hash Carver

This module will change a local user's password directly in the registry. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'English' class MetasploitModule 'Windows Local User Account Hash Carver', 'Description...

Zyxel/Eir D1000 DSL Modem NewNTPServer Command Injection Over TR-064

Broadband DSL modems manufactured by Zyxel and distributed by some European ISPs are vulnerable to a command injection vulnerability when setting the 'NewNTPServer' value using the TR-64 SOAP-based configuration protocol. In the tested case, no authentication is required to set this value on...

Create an AWS IAM User

This module will attempt to create an AWS Amazon Web Services IAM Identity and Access Management user with Admin privileges. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/aws/client'...

Varnish Cache CLI Login Utility

This module attempts to login to the Varnish Cache varnishd CLI instance using a bruteforce list of passwords. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' requir...

OS X Gather Messages

This module will collect the Messages sqlite3 database files and chat logs from the victim's machine. There are four actions you may choose: DBFILE, READABLE, LATEST, and ALL. DBFILE and READABLE will retrieve all messages, and LATEST will retrieve the last X number of messages useful with 2FA...

Linux Kernel 4.6.3 Netfilter Privilege Escalation

This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 not 16.04.1 with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. iptables.ko ubuntu, iptableraw fedora has to be loaded...

PDF Shaper Buffer Overflow

PDF Shaper is prone to a security vulnerability when processing PDF files. The vulnerability appears when we use Convert PDF to Image and use a specially crafted PDF file. This module has been tested successfully on Win XP, Win 7, Win 8, Win 10. This module requires Metasploit:...

WordPress Symposium Plugin SQL Injection

This module exploits a SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress, which allows remote attackers to extract credentials via the size parameter to getalbumitem.php. This module requires Metasploit: https://metasploit.com/download Current source:...

Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass

This module exploits HTTP servers that appear to be vulnerable to the 'Misfortune Cookie' vulnerability which affects Allegro Software Rompager versions before 4.34 and can allow attackers to authenticate to the HTTP service as an administrator without providing valid credentials. This module...

WordPress Ninja Forms Unauthenticated File Upload

Versions 2.9.36 to 2.9.42 of the Ninja Forms plugin contain an unauthenticated file upload vulnerability, allowing guests to upload arbitrary PHP code that can be executed in the context of the web server. This module requires Metasploit: https://metasploit.com/download Current source:...

Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow

Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This...

WinaXe 7.7 FTP Client Remote Buffer Overflow

This module exploits a buffer overflow in the WinaXe 7.7 FTP client. This issue is triggered when a client connects to the server and is expecting the Server Ready response. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)

This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registr...

Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)

Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTPS This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Stager...

Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)

Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 0 include Msf::Payload::Stager...

UNIX Gather AWS Keys

This module will attempt to read AWS configuration files .aws/config, .aws//credentials and .s3cfg for users discovered on the session'd system and extract AWS keys from within. This module requires Metasploit: https://metasploit.com/download Current source:...

Telpho10 Backup Credentials Dumper

This module exploits a vulnerability present in all versions of Telpho10 telephone system appliance. This module generates a configuration backup of Telpho10, downloads the file and dumps the credentials for admin login, phpmyadmin, phpldapadmin, etc. This module has been successfully tested on t...

Disk Pulse Enterprise Login Buffer Overflow

This module exploits a stack buffer overflow in Disk Pulse Enterprise 9.0.34. If a malicious user sends a malicious HTTP login request, it is possible to execute a payload that would run under the Windows NT AUTHORITY\SYSTEM account. Due to size constraints, this module uses the Egghunter...

Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution

This module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an attacker to dynamically execute JavaScript code on the server side using an eval. Note that the code uses a '\x2f' character...

Kerberos Domain User Enumeration

This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes the different responses returned by the service for valid and invalid users. This module can also detect accounts that are vulnerable to ASREPRoast attacks. This module requires Metasploit:...

Joomla Account Creation and Privilege Escalation

This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4 through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account the account is disabled by default. This module requires Metasploit:...

Windows Meterpreter Shell, Reverse HTTP Inline (x64)

Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 204892 include Msf::Payload::TransportConf...

Windows Meterpreter Shell, Reverse HTTPS Inline (x64)

Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 204892 include Msf::Payload::TransportConf...

UDP Amplification Scanner

Detect UDP endpoints with UDP amplification vulnerabilities This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'UDP Amplification Scanner', 'Description' = 'Detect UDP endpoints with UDP...

Windows Manage Persistent EXE Payload Installer

This Module will upload an executable to a remote host and make it Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login, SYSTEM will start on system boot but requires privs. SERVICE will create a new service which will start the payload. Again requires privs...

Censys Search

The module uses the Censys REST API to access the same data accessible through the web interface. The search endpoint allows queries using the Censys Search Language against the Hosts dataset. Setting the CERTIFICATES option will also retrieve the certificate details for each relevant service by...

Shell to Meterpreter Upgrade

This module attempts to upgrade a command shell to meterpreter. The shell platform is automatically detected and the best version of meterpreter for the target is selected. Currently meterpreter/reversetcp is used on Windows and Linux, with 'python/meterpreter/reversetcp' used on all others. This...

ZoomEye Search

The module use the ZoomEye API to search ZoomEye. ZoomEye is a search engine for cyberspace that lets the user find specific network componentsip, services, etc.. Setting facets will output a simple report on the overall search. It's values are: Host search: app, device, service, os, port, countr...

PowerShellEmpire Arbitrary File Upload (Skywalker)

A vulnerability existed in the new Empire maintained by BC Security prior to commit e73e883 Authors Spencer McIntyre Erik Daguerre ACE-Responder Takahiro Yokoyama Platform Linux,Python This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Meterpreter Shell, Reverse TCP Inline x64

Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 203846 include Msf::Payload::TransportConf...

Windows Meterpreter Shell, Bind TCP Inline (x64)

Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 203846 include Msf::Payload::TransportConfig...

Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)

Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 203846 include Msf::Payload::TransportConf...

Ruby on Rails Dynamic Render File Upload Remote Code Execution

This module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths, such...

Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution

Ektron 8.5, 8.7 'Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution', 'Description' = %q Ektron 8.5, 8.7 'catatonicprime' , 'License' = MSFLICENSE, 'References' = 'CVE', '2015-0923' , 'US-CERT-VU', '377644' , 'URL',...

Linux Kernel recvmmsg Privilege Escalation

This module attempts to exploit CVE-2014-0038, by sending a recvmmsg system call with a crafted timeout pointer parameter to gain root. This exploit has offsets for 3 Ubuntu 13 kernels: 3.8.0-19-generic 13.04 default; 3.11.0-12-generic 13.10 default; 3.11.0-15-generic 13.10. This exploit may take...

Powershell .NET Compiler

This module will build a .NET source file using powershell. The compiler builds the executable or library in memory and produces a binary. After compilation the PowerShell session can also sign the executable if provided a path the a .pfx formatted certificate. Compiler options and a list of...

Powershell Payload Execution

This module generates a dynamic executable on the session host using .NET templates. Code is pulled from C templates and impregnated with a payload before being sent to a modified PowerShell session with .NET 4 loaded. The compiler builds the executable standard or Windows service in memory and...

HTA Web Server

This module hosts an HTML Application HTA that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed. This module requires Metasploit: https://metasploit.com/download Current source:...

Overlayfs Privilege Escalation

This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific - 3.13.0-24 14.04 default 'Overlayfs Privilege Escalation', 'Description' = %q This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific - 3.13.0-2...

Gather AWS EC2 Instance Metadata

This module will attempt to connect to the AWS EC2 instance metadata service and crawl and collect all metadata known about the session'd host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Cisco IKE Information Disclosure

A vulnerability in Internet Key Exchange version 1 IKEv1 packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. The vulnerability is d...

Python Meterpreter, Python Reverse TCP SSL Stager

Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Reverse Python connect back stager using SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...

Linux BPF doubleput UAF Privilege Escalation

Linux kernel 4.4 'Linux BPF doubleput UAF Privilege Escalation', 'Description' = %q Linux kernel 4.4 4.5.5 extended Berkeley Packet Filter eBPF does not properly reference count file descriptors, resulting in a use-after-free, which can be abused to escalate privileges. The target system must be...

MYSQL Directory Write Test

Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more information see the URL in the references. Note: For every writable directory found, a file with the specified FILENAME containing the text test will be written to the directory. This module requires Metasploit...