6845 matches found
Android Stock Browser Iframe DOS
This module exploits a vulnerability in the native browser that comes with Android 4.0.3. If successful, the browser will crash after viewing the webpage. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
HTTP Client Information Gather
This module gathers information about a browser that exploits might be interested in, such as OS name, browser version, plugins, etc. By default, the module will return a fake 404, but you can customize this output by changing the Custom404 datastore option, and redirect to an external web page...
ATutor 2.2.1 Directory Traversal / Remote Code Execution
This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP setup with displayerrors set to On, which can be used to allow us to upload a malicious ZIP file. On the web application, a blacklist verification is performed before extraction, however it is not sufficient to...
Apache Karaf Default Credentials Command Execution
This module exploits a default misconfiguration flaw on Apache Karaf versions 2.x-4.x. The 'karaf' user has a known default password, which can be used to login to the SSH service, and execute operating system commands from remote. This module requires Metasploit: https://metasploit.com/download...
MS08-068 Microsoft Windows SMB Relay Code Execution
This module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the...
Windows Post Manage WDigest Credential Caching
On Windows 8/2012 or higher, the Digest Security Provider WDIGEST is disabled by default. This module enables/disables credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key. Any subsequent logins will allow mimikatz to recover th...
Authenticated WMI Exec via Powershell
This module uses WMI execution to launch a payload instance on a remote machine. In order to avoid AV detection, all execution is performed in memory via psh-net encoded payload. Persistence option can be set to keep the payload looping while a handler is present to receive it. By default the...
PHP Utility Belt Remote Code Execution
This module exploits a remote code execution vulnerability in PHP Utility Belt, which is a set of tools for PHP developers and should not be installed in a production environment, since this application runs arbitrary PHP code as an intended functionality. This module requires Metasploit:...
ATutor 2.2.1 SQL Injection / Remote Code Execution
This module exploits a SQL Injection vulnerability and an authentication weakness vulnerability in ATutor. This essentially means an attacker can bypass authentication and reach the administrator's interface where they can upload malicious code. This module requires Metasploit:...
Fortinet SSH Backdoor Scanner
This module scans for the Fortinet SSH backdoor. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Fortinet SSH Backdoor Scanner', 'Description' = %q This module scans for the Fortinet SSH...
OWA Exchange Web Services (EWS) Login Scanner
This module attempts to log in to the Exchange Web Services, often exposed at https://example.com/ews/, using NTLM authentication. This method is faster and simpler than traditional form-based logins. In most cases, all you need to set is RHOSTS and some combination of user/pass files; the...
Apache Karaf Login Utility
This module attempts to log into Apache Karaf's SSH. If the TRYDEFAULTCRED option is set, then it will also try the default 'karaf' credential. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/ssh' require...
Search Engine Subdomains Collector
This module can be used to gather subdomains about a domain from Yahoo, Bing. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Search Engine Subdomains Collector', 'Description' = %q This module...
AppLocker Execution Prevention Bypass
This module will generate a .NET service executable on the target and utilize InstallUtil to run the payload bypassing the AppLocker protection. Currently only the InstallUtil method is provided, but future methods can be added easily. This module requires Metasploit:...
Linknat Vos Manager Traversal
This module attempts to test whether a file traversal vulnerability is present in version of linknat vos2009/vos3000 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linknat Vos Manager...
IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service
This module exploits a denial of service condition present in IBM Tivoli Storage Manager FastBack Server when dealing with packets triggering the opcode 0x534 handler. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
DNS Record Scanner and Enumerator
This module can be used to gather information about a domain from a given DNS server by performing various DNS queries such as zone transfers, reverse lookups, SRV record brute forcing, and other techniques. This module requires Metasploit: https://metasploit.com/download Current source:...
NETGEAR ProSafe Network Management System 300 Authenticated File Download
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file download vulnerability that can be exploited by an authenticated remote attacker to download any file in the system. This module has been tested with versions 1.5.0.2, 1.4.0.17 and...
NETGEAR ProSafe Network Management System 300 Arbitrary File Upload
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has multiple vulnerabilities that can allow an unauthenticated remote attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass, SQL injection, arbitrary file upload...
Multi Manage Set Wallpaper
This module will set the desktop wallpaper background on the specified session. The method of setting the wallpaper depends on the platform type. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
PCMAN FTP Server Buffer Overflow - PUT Command
This module exploits a buffer overflow vulnerability found in the PUT command of the PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous credentials are enabled. This module requires Metasploit: https://metasploit.com/download Current source:...
D-Link DCS-930L Authenticated Remote Command Execution
The D-Link DCS-930L Network Video Camera is vulnerable to OS Command Injection via the web interface. The vulnerability exists at /setSystemCommand, which is accessible with credentials. This vulnerability was present in firmware version 2.01 and fixed by 2.12. This module requires Metasploit:...
Wordpress XML-RPC system.multicall Credential Collector
This module attempts to find Wordpress credentials by abusing the XMLRPC APIs. Wordpress versions prior to 4.4.1 are suitable for this type of technique. For newer versions, the script will drop the CHUNKSIZE to 1 automatically. This module requires Metasploit: https://metasploit.com/download...
Easy File Sharing HTTP Server 7.2 SEH Overflow
This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Easy File Sharing HTTP Server 7.2 SEH Overflow',...
Telisca IPS Lock Cisco IP Phone Control
This module allows an unauthenticated attacker to exercise the "Lock" and "Unlock" functionality of Telisca IPS Lock for Cisco IP Phones. This module should be run in the VoIP VLAN, and requires knowledge of the target phone's name for example, SEP002497AB1D4B. Set ACTION to either LOCK or UNLOCK...
HP Data Protector 6.10/6.11/6.20 Install Service
This module exploits HP Data Protector OmniInet process on Windows only. This exploit invokes the install service function which allows an attacker to create a custom payload in the format of an executable. To ensure this works, the SMB server created in MSF must have a share called Omniback whic...
BMP Polyglot
Encodes a payload in such a way that the resulting binary blob is both valid x86 shellcode and a valid bitmap image file .bmp. The selected bitmap file to inject into must use the BM Windows 3.1x/95/NT header and the 40-byte Windows 3.1x/NT BITMAPINFOHEADER. Additionally the file must use either ...
Redis Command Execute Scanner
This module locates Redis endpoints by attempting to run a specified Redis command. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Redis Command Execute Scanner', 'Description' = %q This modul...
D-Link DCS-931L File Upload
This module exploits a file upload vulnerability in D-Link DCS-931L network cameras. The setFileUpload functionality allows authenticated users to upload files to anywhere on the file system, allowing system files to be overwritten, resulting in execution of arbitrary commands. This module has be...
Android ADB Debug Server Remote Payload Execution
Writes and spawns a native payload on an android device that is listening for adb debug messages. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android ADB Debug Server Remote Payload...
Chinese Caidao Backdoor Bruteforce
This module attempts to bruteforce chinese caidao asp/php/aspx backdoor. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...
Redis Login Utility
This module attempts to authenticate to an Redis service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/redis' require 'metasploit/framework/credentialcollection' Metasploi...
Snare Lite for Windows Registry Access
This module uses the Registry Dump feature of the Snare Lite for Windows service on 6161/TCP to retrieve the Windows registry. The Dump Registry functionality is unavailable in Snare Enterprise. Note: The Dump Registry functionality accepts only one connected client at a time. Requesting a large...
Windows Manage Privilege Based Process Migration
This module will migrate a Meterpreter session based on session privileges. It will do everything it can to migrate, including spawning a new User level process. For sessions with Admin rights: It will try to migrate into a System level process in the following order: ANAME if specified,...
EasyCafe Server Remote File Access
This module exploits a file retrieval vulnerability in EasyCafe Server. The vulnerability can be triggered by sending a specially crafted packet opcode 0x43 to the 831/TCP port. This module has been successfully tested on EasyCafe Server version 2.2.14 Trial mode and Demo mode on Windows XP SP3 a...
PostgreSQL CREATE LANGUAGE Execution
Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages. Most commonly this is Perl and Python. When enabled, command execution is possible on the host. To execute system commands, loading the "untrusted" version of the language is necessary. This...
AD Computer, Group and Recursive User Membership to Local SQLite DB
This module will gather a list of AD groups, identify the users taking into account recursion and write this to a SQLite database for offline analysis and query using normal SQL syntax. This module requires Metasploit: https://metasploit.com/download Current source:...
Generate CSV Organizational Chart Data Using Manager Information
This module will generate a CSV file containing all users and their managers, which can be imported into Visio which will render it. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Generate CSV...
Windows Gather Active Directory Managed Groups
This module will enumerate AD groups on the specified domain which are specifically managed. It cannot at the moment identify whether the 'Manager can update membership list' option option set; if so, it would allow that member to update the contents of that group. This could either be used as a...
MS15-134 Microsoft Windows Media Center MCL Information Disclosure
This module exploits a vulnerability found in Windows Media Center. It allows an MCL file to render itself as an HTML document in the local machine zone by Internet Explorer, which can be used to leak files on the target machine. Please be aware that if this exploit is used against a patched...
Post Windows Gather NTDS.DIT Location
This module will find the location of the NTDS.DIT file from the Registry, check that it exists, and display its location on the screen, which is useful if you wish to manually acquire the file using ntdsutil or vss. This module requires Metasploit: https://metasploit.com/download Current source:...
Joomla HTTP Header Unauthenticated Remote Code Execution
Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the sessi...
Redis File Upload
This module can be used to leverage functionality exposed by Redis to achieve somewhat arbitrary file upload to a file and directory to which the user account running the redis instance has access. It is not totally arbitrary because the exact contents of the file cannot be completely controlled...
ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability
This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null bye at the end of the value ...
Jenkins CLI RMI Java Deserialization Vulnerability
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. Authentication is not required to exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...
Legend Perl IRC Bot Remote Code Execution
This module exploits a remote command execution on the Legend Perl IRC Bot. This bot has been used as a payload in the Shellshock spam last October 2014. This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and UDP flooding, the ability to remove system logs, and ability to...
Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
This module allows remote command execution on an IRC Bot developed by xdh. This perl bot was caught by Conor Patrick with his shellshock honeypot server and is categorized by Markus Zanke as an fBot Fire & Forget - DDoS Bot. Matt Thayer also found this script which has a description of LinuxNet...
Atlassian HipChat for Jira Plugin Velocity Template Injection
Atlassian Hipchat is a web service for internal instant messaging. A plugin is available for Jira that allows team collaboration at real time. A message can be used to inject Java code into a Velocity template, and gain code execution as Jira. Authentication is required to exploit this...
Dahua DVR Auth Bypass Scanner
Scans for Dahua-based DVRs and then grabs settings. Optionally resets a user's password and clears the device logs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule %qDahua DVR Auth Bypass Scanner...
phpFileManager 0.9.8 Remote Code Execution
This module exploits a remote code execution vulnerability in phpFileManager 0.9.8 which is a filesystem management tool on a single file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...