Novell ZENworks Configuration Management Arbitrary File Upload

This module exploits a file upload vulnerability in Novell ZENworks Configuration Management ZCM, which is part of the ZENworks Suite. The vulnerability exists in the UploadServlet which accepts unauthenticated file uploads and does not check the "uid" parameter for directory traversal characters...

Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory

This module exploits an uninitialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption,...

Windows Gather Active Directory BitLocker Recovery

This module will enumerate BitLocker recovery passwords in the default AD directory. This module does require Domain Admin or other delegated privileges. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Netgear Unauthenticated SOAP Password Extractor

This module exploits an authentication bypass vulnerability in different Netgear devices. It allows to extract the password for the remote management interface. This module has been tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable: NetGear WNDR3700v4 -...

WordPress Contus Video Gallery Unauthenticated SQL Injection Scanner

This module attempts to exploit a UNION-based SQL injection in Contus Video Gallery for Wordpress version 2.7 and likely prior in order if the instance is vulnerable. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Wordpress Front-end Editor File Upload

The WordPress Front-end Editor plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder because the plugin uses its own file upload mechanism instead of the WordPress API, which incorrectly allows uploads of any file type. This module...

Windows Interactive Powershell Session, Bind TCP

Listen for a connection and spawn an interactive powershell session This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/powershell' Extends the Exec payload to run a powershell command module MetasploitModule...

Windows Interactive Powershell Session, Reverse TCP

Listen for a connection and spawn an interactive powershell session This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/powershell' module MetasploitModule CachedSize = :dynamic include...

InfluxDB Enum Utility

This module enumerates databases on InfluxDB using the REST API using the default authentication of root:root. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'InfluxDB Enum Utility',...

Windows Interactive Powershell Session, Reverse TCP

Interacts with a powershell session on an established socket connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/powershell' module MetasploitModule CachedSize = :dynamic include Msf::Payload::Sing...

Windows Interactive Powershell Session, Bind TCP

Interacts with a powershell session on an established socket connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/powershell' module MetasploitModule CachedSize = :dynamic include Msf::Payload::Sing...

WordPress WPshop eCommerce Arbitrary File Upload Vulnerability

This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote code execution. This module has been tested successfully on WordPress WPshop eCommerce 1.3.9.5 with WordPress 4.1.3 on Ubun...

WordPress GI-Media Library Plugin Directory Traversal Vulnerability

This module exploits a directory traversal vulnerability in WordPress Plugin GI-Media Library version 2.2.2, allowing to read arbitrary files from the system with the web server privileges. This module has been tested successfully on GI-Media Library version 2.2.2 with WordPress 4.1.3 on Ubuntu...

Wordpress InBoundio Marketing PHP Upload Vulnerability

This module exploits an arbitrary file upload in the WordPress InBoundio Marketing version 2.0. It allows to upload arbitrary php files and get remote code execution. This module has been tested successfully on WordPress InBoundio Marketing 2.0.3 with Wordpress 4.1.3 on Ubuntu 14.04 Server. This...

Airties login-cgi Buffer Overflow

This module exploits a remote buffer overflow vulnerability on several Airties routers. The vulnerability exists in the handling of HTTP queries to the login cgi with long redirect parameters. The vulnerability doesn't require authentication. This module has been tested successfully on the...

ProFTPD 1.3.5 Mod_Copy Command Execution

This module exploits the SITE CPFR/CPTO modcopy commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default...

Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft

A vulnerability exists in versions of OSX, iOS, and Windows Safari released before April 8, 2015 that allows the non-HTTPOnly cookies of any domain to be stolen. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

WordPress CP Multi-View Calendar Unauthenticated SQL Injection Scanner

This module will scan given instances for an unauthenticated SQL injection within the CP Multi-View Calendar plugin v1.1.4 for Wordpress. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'uri' class...

Wordpress Reflex Gallery Upload Vulnerability

This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

WordPress DukaPress Plugin File Read Vulnerability

This module exploits a directory traversal vulnerability in WordPress Plugin "DukaPress" version 'WordPress DukaPress Plugin File Read Vulnerability', 'Description' = %q This module exploits a directory traversal vulnerability in WordPress Plugin "DukaPress" version 'EDB', '35346', 'CVE',...

WordPress Mobile Edition File Read Vulnerability

This module exploits a directory traversal vulnerability in WordPress Plugin "WP Mobile Edition" version 2.2.7, allowing to read arbitrary files with the web server privileges. This module requires Metasploit: https://metasploit.com/download Current source:...

Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure

This module tests vulnerable IIS HTTP header file paths on Microsoft Exchange OWA 2003 and CAS 2007, 2010, and 2013 servers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Outlook Web App OWA ...

BSD x64 Shell Bind TCP

Bind an arbitrary command to an arbitrary port This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 136 include Msf::Payload::Single include Msf::Payload::Bsd include...

BSD x64 Shell Reverse TCP

Connect back to attacker and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 98 include Msf::Payload::Single include Msf::Payload::Bsd include...

Adobe Flash Player copyPixelsToByteArray Method Integer Overflow

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This...

MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service

This module will check if scanned hosts are vulnerable to CVE-2015-1635 MS15-034, a vulnerability in the HTTP protocol stack HTTP.sys that could result in arbitrary code execution. This module will try to cause a denial-of-service. This module requires Metasploit: https://metasploit.com/download...

Wordpress N-Media Website Contact Form Upload Vulnerability

This module exploits an arbitrary PHP code upload in the WordPress N-Media Website Contact Form plugin, version 1.3.4. The vulnerability allows for arbitrary file upload and remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

Wordpress Creative Contact Form Upload Vulnerability

This module exploits an arbitrary PHP code upload in the WordPress Creative Contact Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

Wordpress SlideShow Gallery Authenticated File Upload

The Wordpress SlideShow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it's possible to upload any file type. This module requires...

Wordpress Work The Flow Upload Vulnerability

This module exploits an arbitrary PHP code upload in the WordPress Work The Flow plugin, version 2.5.2. The vulnerability allows for arbitrary file upload and remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

BSD x64 Execute Command

Execute an arbitrary command This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Exec ---- Executes an arbitrary command. module MetasploitModule CachedSize = 31 include Msf::Payload::Single include Msf::Payload::Bsd def...

Group Policy Script Execution From Shared Resource

This is a general-purpose module for exploiting systems with Windows Group Policy configured to load VBS startup/logon scripts from remote locations. This module runs a SMB shared resource that will provide a payload through a VBS file. Startup scripts will be executed with SYSTEM privileges, whi...

Apple OS X Rootpipe Privilege Escalation

This module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed "Rootpipe." This module was tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run...

Nessus RPC Interface Login Utility

This module will attempt to authenticate to a Nessus server RPC interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/nessus' require...

Adobe Flash Player casi32 Integer Overflow

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as domainMemory for the current application domain. This module has been tested successfully on Windows 7 SP1 32-bit,...

Arris / Motorola Surfboard SBG6580 Web Interface Takeover

The web interface for the Arris / Motorola Surfboard SBG6580 has several vulnerabilities that, when combined, allow an arbitrary website to take control of the modem, even if the user is not currently logged in. The attacker must successfully know, or guess, the target's internal gateway IP...

ManageEngine Desktop Central Login Utility

This module will attempt to authenticate to a ManageEngine Desktop Central. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/manageenginedesktopcentral' require...

Embedthis GoAhead Embedded Web Server Directory Traversal

This module exploits a directory traversal vulnerability in the Embedthis GoAhead Web Server v3.4.1, allowing an attacker to read arbitrary files with the web server privileges. This module requires Metasploit: https://metasploit.com/download Current source:...

Ceragon FibeAir IP-10 SSH Private Key Exposure

Ceragon ships a public/private key pair on FibeAir IP-10 devices that allows passwordless authentication to any other IP-10 device. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as the "mateidu" user. This module requires Metasploit:...

Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability

This module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager 6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set the 'username'...

MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure

This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames. It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you must supply your own list of file paths. Each file path should look like this: c:\\windows\\system32\\calc.exe This...

Gallery WD for Joomla! Unauthenticated SQL Injection Scanner

This module will scan for Joomla! instances vulnerable to an unauthenticated SQL injection within the Gallery WD for Joomla! extension version 1.2.5 and likely prior. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Windows Gather Local SQL Server Hash Dump

This module extracts the usernames and password hashes from an MSSQL server and stores them as loot. It uses the same technique in mssqllocalauthbypass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Web-Dorado ECommerce WD for Joomla! search_category_id SQL Injection Scanner

This module will scan for hosts vulnerable to an unauthenticated SQL injection within the advanced search feature of the Web-Dorado ECommerce WD 1.2.5 and likely prior. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

Adobe Flash Player ByteArray With Workers Use After Free

This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, which can fill the memory and notify the main thread to corrupt the new contents. This module has...

SSL Labs API Client

This module is a simple client for the SSL Labs APIs, designed for SSL/TLS assessment during a penetration test. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'activesupport/inflector' require 'json' require...

RIPS Scanner Directory Traversal

This module exploits a directory traversal vulnerability in the RIPS Scanner v0.54, allowing to read arbitrary files with the web server privileges. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModu...

Firefox Proxy Prototype Privileged Javascript Injection

This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability. This module requires Metasploit:...

WordPress OptimizePress Theme File Upload Vulnerability

This module exploits a vulnerability found in the WordPress theme OptimizePress. The vulnerability is due to an insecure file upload on the media-upload.php component, allowing an attacker to upload arbitrary PHP code. This module has been tested successfully on OptimizePress 1.45. This module...

WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution

This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software plugin known as Foxypress. The vulnerability allows for arbitrary file upload and remote code execution via the uploadify.php script. The Foxypress plugin versions 0.4.1.1 to 0.4.2.1 are vulnerable. This...