Adobe Flash Player ByteArray Use After Free

This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows 7 SP1 32-bit,...

Apple OS X Entitlements Rootpipe Privilege Escalation

This module exploits the rootpipe vulnerability and bypasses Apple's initial fix for the issue by injecting code into a process with the 'admin.writeconfig' entitlement. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

HTTP Client Automatic Exploiter 2 (Browser Autopwn)

This module will automatically serve browser exploits. Here are the options you can configure: The INCLUDEPATTERN option allows you to specify the kind of exploits to be loaded. For example, if you wish to load just Adobe Flash exploits, then you can set Include to 'adobeflash'. The EXCLUDEPATTER...

Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow

This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser encoded audio inside a FLV video, as exploited in the wild on June 2015. This module has been tested successfully on: Windows 7 SP1 32-bit, IE11 and Adobe Flash 18.0.0.160, Windows 7 SP1 32-bit, Firefox 38.0.5 a...

Windows Registry Only Persistence

This module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in "CurrentVersion\Run" depending on privilege and selected method. The payload will be installed completely in registry. This module requires...

Endian Firewall Proxy Password Change Command Injection

This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had...

Pallete Projects Werkzeug Debugger Remote Code Execution

This module will exploit the Werkzeug debug console to put down a Python shell. Werkzeug is included with Flask, but not enabled by default. It is also included in other projects, for example the RunServerPlus extension for Django. It may also be used alone. The documentation states the following...

Lansweeper Credential Collector

Lansweeper stores the credentials it uses to scan the computers in its Microsoft SQL database. The passwords are XTea-encrypted with a 68 character long key, in which the first 8 characters are stored with the password in the database and the other 60 is static. Lansweeper, by default, creates an...

Adobe Flash Player Drawing Fill Shader Memory Corruption

This module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This module has been tested successfully on: Windows 7 SP1 32-bit, IE11 and Adobe Flash 17.0.0.188, Windows 7 SP1 32-bit, Firefox 38.0.5 and Adobe Flash 17.0.0.188,...

Windows Gather Credentials Local Administrator Password Solution

This module will recover the LAPS Local Administrator Password Solution passwords, configured in Active Directory, which is usually only accessible by privileged users. Note that the local administrator account name is not stored in Active Directory, so it is assumed to be 'Administrator' by...

Mac OS X Safari file:// Redirection Sandbox Escape

Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a "state management issue" that allows a browser window to be navigated to a file:// URL. By dropping and loading a malicious .webarchive file, an attacker can read arbitrary files, inject cross-domain Javascript, and silently...

MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure

This module dumps memory contents using a crafted Range header and affects only Windows 8.1, Server 2012, and Server 2012R2. Note that if the target is running in VMware Workstation, this module has a high likelihood of resulting in BSOD; however, VMware ESX and non-virtualized hosts seem stable...

Adobe Flash Player ShaderJob Buffer Overflow

This module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after...

D-Link Cookie Command Execution

This module exploits an anonymous remote upload and code execution vulnerability on different D-Link devices. The vulnerability is a command injection in the cookie handling process of the lighttpd web server when handling specially crafted cookie values. This module has been successfully tested ...

Adobe Flash Player Shader Buffer Overflow

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on the following operating...

Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy

This module exploits an incomplete internal state distinction in Java Secure Socket Extension JSSE by impersonating the server and finishing the handshake before the peers have authenticated themselves and instantiated negotiated security parameters, resulting in a plaintext SSL/TLS session with...

VMWare Update Manager 4 Directory Traversal

This modules exploits a directory traversal vulnerability in VMWare Update Manager on port 9084. Versions affected by this vulnerability: vCenter Update Manager 4.1 prior to Update 2, vCenter Update Manager 4 Update 4. This module requires Metasploit: https://metasploit.com/download Current sourc...

VMware Server Directory Traversal Vulnerability

This modules exploits the VMware Server Directory Traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 a...

SysAid Help Desk Arbitrary File Download

This module exploits two vulnerabilities in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. First, an information disclosure vulnerability CVE-2015-2997 is used to obtain the file system path, and then we abuse a directory traversal CVE-2015-2996 ...

SysAid Help Desk Database Credentials Disclosure

This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. This is used to download the server configuration file that contains the database username and password, which is encrypted with a fixed, known key. This modul...

SysAid Help Desk Administrator Portal Arbitrary File Upload

This module exploits a file upload vulnerability in SysAid Help Desk. The vulnerability exists in the ChangePhoto.jsp in the administrator portal, which does not correctly handle directory traversal sequences and does not enforce file extension restrictions. While an attacker needs an administrat...

SysAid Help Desk Administrator Account Creation

This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to create an administrator account. Note that this exploit will only work once. Any subsequent attempts will fail. On the other hand, the credentials must be verified manually. This module has been tested...

Windows ClientCopyImage Win32k Exploit

This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Interactive Powershell Session, Reverse TCP

Listen for a connection and spawn an interactive powershell session This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/powershell' module MetasploitModule CachedSize = :dynamic include...

Windows Interactive Powershell Session, Bind TCP

Listen for a connection and spawn an interactive powershell session This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/powershell' Extends the Exec payload run a powershell command module MetasploitModule...

AVTECH 744 DVR Account Information Retrieval

This module will extract the account information from the AVTECH 744 DVR devices, including usernames, cleartext passwords, and the device PIN, along with a few other miscellaneous details. In order to extract the information, hardcoded credentials admin/admin are used. These credentials can't be...

ColdFusion Version Scanner

This module attempts identify various flavors of ColdFusion up to version 10 as well as the underlying OS. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ColdFusion Version Scanner',...

Adobe Flash Player NetConnection Type Confusion

This module exploits a type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and ultimately accomplish remote code...

Android Settings Remove Device Locks (4.0-4.3)

This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class. Any unprivileged app can exploit this vulnerability to remove the lockscreen. A logic flaw / design error exists in the settings application that allows an Intent from any application to clear the...

Android Screen Capture

This module takes a screenshot of the target phone. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Screen Capture', 'Description' = %q This module takes a screenshot of the target phon...

Android Root Remove Device Locks (root)

This module uses root privileges to remove the device lock. In some cases the original lock method will still be present but any key/gesture will unlock the device. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework clas...

Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support

Inject a VNC Dll via a reflective loader Windows x64 staged. Listen for an IPv6 connection with UUID Support Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 526 include...

Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)

Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 331 include...

Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support

Spawn a piped command shell Windows x64 staged. Listen for an IPv6 connection with UUID Support Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 526 include...

Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager

Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for an IPv6 connection Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module...

Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)

Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 331 include Msf::Payload::Stager...

Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)

Inject the meterpreter server DLL staged. Listen for an IPv6 connection with UUID Support Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 331 include Msf::Payload::Stag...

Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager

Inject a VNC Dll via a reflective loader Windows x64 staged. Listen for an IPv6 connection Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 485 include...

Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)

Uploads an executable and runs it staged. Listen for an IPv6 connection with UUID Support Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 331 include Msf::Payload::Stag...

VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)

Inject a VNC Dll via a reflective loader staged. Listen for an IPv6 connection with UUID Support Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 331 include...

Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for an IPv6 connection with UUID Support Windows x86 This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support

Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for an IPv6 connection with UUID Support Windows x64 This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)

Spawn a piped command shell staged. Listen for an IPv6 connection with UUID Support Windows x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 331 include Msf::Payload::Stager...

Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager

Spawn a piped command shell Windows x64 staged. Listen for an IPv6 connection Windows x64 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 485 include Msf::Payload::Stager include...

WordPress Simple Backup File Read Vulnerability

This module exploits a directory traversal vulnerability in WordPress Plugin "Simple Backup" version 2.7.10, allowing to read arbitrary files with the web server privileges. This module requires Metasploit: https://metasploit.com/download Current source:...

Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free

This module exploits a use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress a malformed byte stream. This module has been tested successfully on: Windows 7 SP1 32 bits, IE 8 to IE 11 and Flash...

Windows Powershell Execution Post Module

This module will execute a powershell script in a meterpreter session. The user may also enter text substitutions to be made in memory before execution. Setting VERBOSE to true will output both the script prior to execution and the results. This module requires Metasploit:...

Load Scripts Into PowerShell Session

This module will download and execute one or more PowerShell scripts over a present powershell session. Setting VERBOSE to true will show the stager results. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Forward SSH Agent Requests To Remote Pageant

This module forwards SSH agent requests from a local socket to a remote Pageant instance. If a target Windows machine is compromised and is running Pageant, this will allow the attacker to run normal OpenSSH commands e.g. ssh-add -l against the Pageant host which are tunneled through the...

Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)

Inject the mettle server payload staged. Listen for an IPv6 connection with UUID Support Linux x86 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 166 include Msf::Payload::Stager...