6845 matches found
WordPress W3 Total Cache PHP Code Execution
This module exploits a PHP Code Injection vulnerability against WordPress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PH...
WordPress cache_lastpostdate Arbitrary Code Execution
This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'registerglobals' option is enabled common for hosting providers. All versions of WordPress prior to 1.5.1.3 are affected. This module requires Metasploit:...
Wordpress InfusionSoft Upload Vulnerability
This module exploits an arbitrary PHP code upload in the WordPress Infusionsoft Gravity Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file upload and remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...
Python Meterpreter, Python Reverse HTTPS Stager
Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Tunnel communication over HTTP using SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...
Java RMI Registry Interfaces Enumeration
This module gathers information from an RMI endpoint running an RMI registry interface. It enumerates the names bound in a registry and looks up each remote reference. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Exim GHOST (glibc gethostbyname) Buffer Overflow
This module remotely exploits CVE-2015-0235, aka GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions on x86 and x8664 GNU/Linux systems that run the Exim mail server. This module requires Metasploit: https://metasploit.com/download Current source:...
Java JMX Server Insecure Configuration Java Code Execution
This module takes advantage a Java JMX interface insecure configuration, which would allow loading classes from any remote HTTP URL. JMX interfaces with authentication disabled com.sun.management.jmxremote.authenticate=false should be vulnerable, while interfaces with authentication enabled will ...
TWiki Debugenableplugins Remote Code Execution
TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...
OpenNMS Authenticated XXE
OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface. Although this attack requires authentication, there are several factors that increase the severity of this vulnerability. 1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty...
GitLab Login Utility
This module attempts to login to a GitLab instance using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...
GitLab User Enumeration
The GitLab 'internal' API is exposed unauthenticated on GitLab. This allows the username for each SSH Key ID number to be retrieved. Users who do not have an SSH Key cannot be enumerated in this fashion. LDAP users, e.g. Active Directory users will also be returned. This issue was fixed in GitLab...
Symantec Web Gateway Login Utility
This module will attempt to authenticate to a Symantec Web Gateway. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/symantecwebgateway' require...
iPass Mobile Client Service Privilege Escalation
The named pipe, \IPEFSYSPCPIPE, can be accessed by normal users to interact with the iPass service. The service provides a LaunchAppSysMode command which allows to execute arbitrary commands as SYSTEM. This module requires Metasploit: https://metasploit.com/download Current source:...
D-Link/TRENDnet NCC Service Command Injection
This module exploits a remote command injection vulnerability on several routers. The vulnerability exists in the ncc service, while handling ping commands. This module has been tested on a DIR-626L emulated environment. Several D-Link and TRENDnet devices are reported as affected, including:...
F5 Networks Devices Management Interface Scanner
This module attempts to identify the web management interfaces of the following F5 Networks devices: BigIP, BigIQ, Enterprise Manager, ARX, and FirePass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Microsoft Windows Shell LNK Code Execution
This module exploits a vulnerability in the MS10-046 patch to abuse again the handling of Windows Shortcut files .LNK that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the...
Microsoft Windows Shell LNK Code Execution
This module exploits a vulnerability in the handling of Windows Shortcut files .LNK that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload inside a DLL, and generates a LNK file which must be sent to the target. This module requires...
Microsoft Windows Shell LNK Code Execution
This module exploits a vulnerability in the MS10-046 patch to abuse again the handling of Windows Shortcut files .LNK that contain an icon resource pointing to a malicious DLL. This module creates the required files to exploit the vulnerability. They must be uploaded to an UNC path accessible by...
Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)
Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over HTTPS Windows winhttp This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework modu...
Adobe Flash Player PCRE Regex Vulnerability
This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error in the PCRE engine, specifically in the handling of the \c escape sequence when followed by a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode. This module requires Metasploit:...
Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)
Inject a DLL via a reflective loader. Tunnel communication over HTTP Windows winhttp This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 533 include Msf::Payload::Stager include...
VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
Inject a VNC Dll via a reflective loader staged. Tunnel communication over HTTP Windows winhttp This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 533 include Msf::Payload::Stager...
Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over HTTP Windows winhttp This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework modul...
Belkin Play N750 login.cgi Buffer Overflow
This module exploits a remote buffer overflow vulnerability on Belkin Play N750 DB Wireless Dual-Band N+ Router N750 routers. The vulnerability exists in the handling of HTTP queries with long 'jump' parameters addressed to the /login.cgi URL, allowing remote unauthenticated attackers to execute...
ElasticSearch Search Groovy Sandbox Bypass
This module exploits a remote command execution RCE vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypass...
IPass Control Pipe Remote Command Execution
This module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused to force the service to load a DLL from a SMB share. This module requires Metasploit: https://metasploit.com/download...
Brocade Enable Login Check Scanner
This module will test a range of Brocade network devices for a privileged logins and report successes. The device authentication mode must be set as 'aaa authentication enable default local'. Telnet authentication, e.g. 'enable telnet authentication', should not be enabled in the device...
F5 BigIP Access Policy Manager Session Exhaustion Denial of Service
This module exploits a resource exhaustion denial of service in F5 BigIP devices. An unauthenticated attacker can establish multiple connections with BigIP Access Policy Manager APM and exhaust all available sessions defined in customer license. In the first step of the BigIP APM negotiation the...
Nvidia Mental Ray Satellite Service Arbitrary DLL Injection
The Nvidia Mental Ray Satellite Service listens for control commands on port 7414. When it receives the command to load a DLL via an UNC path it will try to connect back to the host on port 7514. If a TCP connection is successful it will then attempt to load the DLL. This module has been tested...
Samba _netr_ServerPasswordSet Uninitialized Credential State
This module checks if a Samba target is vulnerable to an uninitialized variable creds vulnerability. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Samba netrServerPasswordSet Uninitialized...
Generic DLL Injection From Shared Resource
This is a general-purpose module for exploiting conditions where a DLL can be loaded from a specified SMB share. This module serves payloads as DLLs over an SMB service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Generic Web Application DLL Injection
This is a general-purpose module for exploiting conditions where a HTTP request triggers a DLL load from an specified SMB share. This module serves payloads as DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would trigger the load of the DLL. This module requires...
HP Data Protector 8.10 Remote Command Execution
This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be executed by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is a strict length limitation on the command, rundll32.exe is executed, and...
PHPMoAdmin 1.1.2 Remote Code Execution
This module exploits an arbitrary PHP command execution vulnerability due to a dangerous use of eval in PHPMoAdmin. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'PHPMoAdmin 1.1.2 Remote Code...
Seagate Business NAS Unauthenticated Remote Command Execution
Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open ...
Symantec Web Gateway 5 restore.php Post Authentication Command Injection
This module exploits a command injection vulnerability found in Symantec Web Gateway's setting restoration feature. The filename portion can be used to inject system commands into a syscall function, and gain control under the context of HTTP service. For Symantec Web Gateway 5.1.1, you can explo...
Android Browser File Theft
This module steals the cookie, password, and autofill databases from the Browser application on AOSP 4.3 and below. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Browser File Theft',...
Printer File Deletion Scanner
This module deletes a file on a set of printers using the Printer Job Language PJL protocol. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require "rex/proto/pjl" class MetasploitModule "Printer File Deletion...
Printer File Upload Scanner
This module uploads a file to a set of printers using the Printer Job Language PJL protocol. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require "rex/proto/pjl" class MetasploitModule "Printer File Upload Scanner"...
mDNS Query
This module sends mDNS queries, which are really just normal UDP DNS queries done usually over multicast on a different port, 5353. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'mDNS Query',...
LLMNR Query
This module sends LLMNR queries, which are really just normal UDP DNS queries done usually over multicast on a different port, 5355. Targets other than the default RHOSTS' 224.0.0.252 should not respond but may anyway. This module requires Metasploit: https://metasploit.com/download Current sourc...
WordPress WP EasyCart Plugin Privilege Escalation
The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated users of any user level to set any system option via a lack of validation in the ecajaxupdateoption and ecajaxclearalltaxrates functions located in /inc/admin/adminajaxfunctions.php. The module first changes the...
Solarwinds Orion AccountManagement.asmx GetAccounts Admin Creation
This module exploits a stacked SQL injection in order to add an administrator user to the SolarWinds Orion database. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Solarwinds Orion...
WordPress WPLMS Theme Privilege Escalation
The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an authenticated user of any user level to set any system option due to a lack of validation in the importdata function of /includes/func.php. The module first changes the admin e-mail address to prevent any notifications being sent t...
WordPress Admin Shell Upload
This module will generate a plugin, pack the payload into it and upload it to a server running WordPress provided valid admin credentials are used. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/zip' cla...
HP Client Automation Command Injection
This module exploits a command injection vulnerability on HP Client Automation, distributed actually as Persistent Systems Client Automation. The vulnerability exists in the Notify Daemon radexecd.exe, which doesn't authenticate execution requests by default. This module has been tested...
Publish-It PUI Buffer Overflow (SEH)
This module exploits a stack based buffer overflow in Publish-It when processing a specially crafted .PUI file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of Publish-It to open a malicious .PUI file. This module...
Javascript Injection for Eval-based Unpackers
This module generates a Javascript file that executes arbitrary code when an eval-based unpacker is run on it. Works against js-beautify's PACKER unpacker. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Chef Web UI Brute Force Utility
This module attempts to login to Chef Web UI server instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. It will also test for the default login admin:p@ssw0rd1. This module requires Metasploit: https://metasploit.com/download Current...
Zabbix Server Brute Force Utility
This module attempts to login to Zabbix server instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. It will also test for the Zabbix default login Admin:zabbix and guest access. This module requires Metasploit:...