6845 matches found
MS16-032 Secondary Logon Handle Privilege Escalation
This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems wi...
Cron Persistence
This module will create a cron or crontab entry to execute a payload. The module includes the ability to automatically clean up those entries to prevent multiple executions. syslog will get a copy of the cron entry. This module requires Metasploit: https://metasploit.com/download Current source:...
SSH Key Persistence
This module will add an SSH key to a specified user or all, to allow remote login via SSH at any time. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'sshkey' class MetasploitModule 'SSH Key Persistence',...
NetBIOS Response Brute Force Spoof (Direct)
This module continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed local networks, the PPSRATE value should be increased to speed up this attack. As an example, a value of around 30,000 is almost 100%...
NetBIOS Response "BadTunnel" Brute Force Spoof (NAT Tunnel)
This module listens for a NetBIOS name request and then continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed networks, the PPSRATE value should be increased to speed up this attack. As an example, a value...
Tiki-Wiki CMS Calendar Command Execution
Tiki-Wiki CMS's calendar module contains a remote code execution vulnerability within the viewmode GET parameter. The calendar module is NOT enabled by default. If enabled, the default permissions are set to NOT allow anonymous users to access. Vulnerable versions: 'Tiki-Wiki CMS Calendar Command...
ClamAV Remote Command Transmitter
In certain configurations, ClamAV will bind to all addresses and listen for commands. This module sends properly-formatted commands to the ClamAV daemon if it is in such a configuration. This module requires Metasploit: https://metasploit.com/download Current source:...
Regsvr32.exe (.sct) Command Delivery Server
This module uses the Regsvr32.exe Application Whitelisting Bypass technique as a way to run a command on a target system. The major advantage of this technique is that you can execute a static command on the target system and dynamically and remotely change the command that will actually run by...
Windows Gather Microsoft Office Trusted Locations
This module will enumerate the Microsoft Office trusted locations on the target host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Microsoft Office Trusted Locations',...
Centreon Web Useralias Command Execution
Centreon Web Interface 'Centreon Web Useralias Command Execution', 'Description' = %q Centreon Web Interface 'h00die ', module 'Nicolas CHATELAIN ' discovery , 'References' = 'EDB', '39501' , 'License' = MSFLICENSE, 'Platform' = 'python', 'Privileged' = false, 'Arch' = ARCHPYTHON, 'Targets' =...
Apache Continuum Arbitrary Command Execution
This module exploits a command injection in Apache Continuum 'Apache Continuum Arbitrary Command Execution', 'Description' = %q This module exploits a command injection in Apache Continuum 'David Shanahan', Proof of concept 'wvu' Metasploit module , 'References' = %wEDB 39886 , 'DisclosureDate' =...
Linux ARM Big Endian Command Shell, Bind TCP Inline
Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 118 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
SMB Share Enumeration
This module determines what shares are provided by the SMB service and which ones are readable/writable. It also collects additional information such as share types, directories, files, time stamps, etc. By default, a RubySMB netshareenumall request is done in order to retrieve share information,...
Jenkins Server Broadcast Enumeration
This module sends out a udp broadcast packet querying for any Jenkins servers on the local network. Be advised that while this module does not identify the port on which Jenkins is running, the default port for Jenkins is 8080. This module requires Metasploit: https://metasploit.com/download...
Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 except 2.3.20.2 and 2.3.24.2. Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled. This module requires Metasploit:...
DarkComet Server Remote File Download Exploit
This module exploits an arbitrary file download vulnerability in the DarkComet C server versions 3.2 and up. The exploit does not need to know the password chosen for the bot/server communication. This module requires Metasploit: https://metasploit.com/download Current source:...
Poison Ivy 2.1.x C2 Buffer Overflow
This module exploits a stack buffer overflow in the Poison Ivy 2.1.x C server. The exploit does not need to know the password chosen for the bot/server communication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Canon IR-Adv Password Extractor
This module will extract the passwords from address books on various Canon IR-Adv mfp devices. Tested models: iR-ADV C2030, iR-ADV 4045, iR-ADV C5030, iR-ADV C5235, iR-ADV C5240, iR-ADV 6055, iR-ADV C7065 This module requires Metasploit: https://metasploit.com/download Current source:...
Magento 2.0.6 Unserialize Remote Code Execution
This module exploits a PHP object injection vulnerability in Magento 2.0.6 or prior. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Magento 2.0.6 Unserialize Remote Code Execution',...
op5 v7.1.9 Configuration Command Execution
op5 an open source network monitoring software. The configuration page in version 7.1.9 and below allows the ability to test a system command, which can be abused to run arbitrary code as an unpriv user. This module requires Metasploit: https://metasploit.com/download Current source:...
HP Data Protector Encrypted Communication Remote Command Execution
This module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executin...
IPFire proxy.cgi RCE
IPFire, a free linux based open source firewall distribution, version 'IPFire proxy.cgi RCE', 'Description' = %q IPFire, a free linux based open source firewall distribution, version 'h00die ', module 'Yann CAM' discovery , 'References' = 'EDB', '39765' , 'URL',...
IPFire Bash Environment Variable Injection (Shellshock)
IPFire, a free linux based open source firewall distribution, version 'IPFire Bash Environment Variable Injection Shellshock', 'Description' = %q IPFire, a free linux based open source firewall distribution, version 'h00die ', module 'Claudio Viviani' discovery , 'References' = 'EDB', '34839' ,...
WinRM Login Utility
This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows NegotiateNTLM authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the 'AllowUnencrypted' winrm option must be set. Otherwise adjust the...
Ubiquiti airOS Arbitrary File Upload
This module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorizedkeys. FYI, /etc/passwd,dropbear/authorizedkeys will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSISTETC is true. This method is used by the "m...
PhoenixContact PLC Remote START/STOP Command
PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. And also to read out the CPU...
Netcore Router Udp 53413 Backdoor
Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cyber criminals to easily run arbitrary co...
FTP JCL Execution
Submit JCL to z/OS via FTP and SITE FILE=JES. This exploit requires valid credentials on the target system This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'FTP JCL Execution', 'Description' =...
Generate TCP/UDP Outbound Traffic On Multiple Ports
This module generates TCP or UDP traffic across a sequence of ports, and is useful for finding firewall holes and egress filtering. It only generates traffic on the port range you specify. It is up to you to run a responder or packet capture tool on a remote endpoint to determine which ports are...
Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection
This module exploits a vulnerability found in Dell SonicWALL Scrutinizer. The methodDetail parameter in exporters.php allows an attacker to write arbitrary files to the file system with an SQL Injection attack, and gain remote code execution under the context of SYSTEM for Windows, or as Apache f...
TP-Link SC2020n Authenticated Telnet Injection
The TP-Link SC2020n Network Video Camera is vulnerable to OS Command Injection via the web interface. By firing up the telnet daemon, it is possible to gain root on the device. The vulnerability exists at /cgi-bin/admin/servetest, which is accessible with credentials. This module requires...
ImageMagick Delegate Arbitrary Command Execution
This module exploits a shell command injection in the way "delegates" commands for converting files are processed in ImageMagick versions 'ImageMagick Delegate Arbitrary Command Execution', 'Description' = %q This module exploits a shell command injection in the way "delegates" commands for...
WordPress Ninja Forms Unauthenticated File Upload
Versions 2.9.36 to 2.9.42 of the Ninja Forms plugin contain an unauthenticated file upload vulnerability, allowing guests to upload arbitrary PHP code that can be executed in the context of the web server...
Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution
This module exploits an IP whitelist bypass vulnerability in the developer web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also achieve code execution on Rails 4.2.x if the attack is launched from a whitelisted IP range. This module requires Metasploit:...
Apache Struts Dynamic Method Invocation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 except 2.3.20.2 and 2.3.24.2. Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled. This module requires Metasploit:...
Oracle ATS Arbitrary File Upload
This module exploits an authentication bypass and arbitrary file upload in Oracle Application Testing Suite OATS, version 12.4.0.2.0 and unknown earlier versions, to upload and execute a JSP shell. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Gather EMET Protected Paths
This module will enumerate the EMET protected paths on the target host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather EMET Protected Paths', 'Description' = %q This module will...
Symantec Messaging Gateway 10 Exposure of Stored AD Password Vulnerability
This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed Symantec PBE key. Note that authentication is required in order to successfully grab the LDAP credentials, and you need at least a read account. Version 10.6.0-7 and earlier are...
Regsvr32.exe (.sct) Application Whitelisting Bypass Server
This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This...
Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw...
Exim "perl_startup" Privilege Escalation
This module exploits a Perl injection vulnerability in Exim 'Exim "perlstartup" Privilege Escalation', 'Description' = %q This module exploits a Perl injection vulnerability in Exim 'Dawid Golunski', Vulnerability discovery 'wvu' Metasploit module , 'References' = %wCVE 2016-1531, %wEDB 39549,...
Linux DoS Xen 4.2.0 2012-5525
This module causes a hypervisor crash in Xen 4.2.0 when invoked from a paravirtualized VM, including from dom0. Successfully tested on Debian 7 3.2.0-4-amd64 with Xen 4.2.0. This module requires Metasploit: https://metasploit.com/download Current source:...
Dell KACE K1000 File Upload
This module exploits a file upload vulnerability in Kace K1000 versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547 which allows unauthenticated users to execute arbitrary commands under the context of the 'www' user. This module also abuses the 'KSudoClient::RunCommandWait'...
Novell ServiceDesk Authenticated File Upload
This module exploits an authenticated arbitrary file upload via directory traversal to execute code on the target. It has been tested on versions 6.5 and 7.1.0, in Windows and Linux installations of Novell ServiceDesk, as well as the Virtual Appliance provided by Novell. This module requires...
ExaGrid Known SSH Key and Default Password
ExaGrid ships a public/private key pair on their backup appliances to allow passwordless authentication to other ExaGrid appliances. Since the private key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. Additionally, this module will attempt to use the...
Z/OS (MVS) Command Shell, Reverse TCP
Provide JCL which creates a reverse shell This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. This module requires Metasploit: https://metasploit.com/download Current source:...
Juniper SSH Backdoor Scanner
This module scans for the Juniper SSH backdoor also valid on Telnet. Any username is required, and the password is 'Juniper SSH Backdoor Scanner', 'Description' = %q This module scans for the Juniper SSH backdoor also valid on Telnet. Any username is required, and the password is 'hdm', Discovery...
Generic JCL Test for Mainframe Exploits
Provide JCL which can be used to submit a job to JES2 on z/OS which will exit and return 0. This can be used as a template for other JCL based payloads This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This is a prototy...
Windows Gather HeidiSQL Saved Password Extraction
This module extracts saved passwords from the HeidiSQL client. These passwords are stored in the registry. They are encrypted with a custom algorithm. This module extracts and decrypts these passwords. This module requires Metasploit: https://metasploit.com/download Current source:...
Apache Jetspeed Arbitrary File Upload
This module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, version 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file...