JBoss Seam 2 File Upload and Execute

Versions of the JBoss Seam 2 framework 'JBoss Seam 2 File Upload and Execute', 'Description' = %q Versions of the JBoss Seam 2 framework 2.2.1CR2 fails to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the...

Chromecast Web Server Scanner

This module scans for the Chromecast web server on port 8008/TCP, and can be used to discover devices which can be targeted by other Chromecast modules, such as chromecastyoutube. This module requires Metasploit: https://metasploit.com/download Current source:...

Amazon Fire TV YouTube Remote Control

This module acts as a simple remote control for the Amazon Fire TV's YouTube app. Tested on the Amazon Fire TV Stick. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Amazon Fire TV YouTube Remo...

WordPress Ultimate CSV Importer User Table Extract

Due to lack of verification of a visitor's permissions, it is possible to execute the 'export.php' script included in the default installation of the Ultimate CSV Importer plugin and retrieve the full contents of the user table in the WordPress installation. This results in full disclosure of...

WordPress Holding Pattern Theme Arbitrary File Upload

This module exploits a file upload vulnerability in all versions of the Holding Pattern theme found in the uploadfile.php script which contains no session or file validation. It allows unauthenticated users to upload files of any type and subsequently execute PHP scripts in the context of the web...

SMB Version Detection

Fingerprint and display version information about SMB servers. Protocol information and host operating system if available will be reported. Host operating system detection requires the remote server to support version 1 of the SMB protocol. Compression and encryption capability negotiation is on...

Maarch LetterBox Unrestricted File Upload

This module exploits a file upload vulnerability on Maarch LetterBox 2.8 due to a lack of session and file validation in the filetoindex.php script. It allows unauthenticated users to upload files of any type and subsequently execute PHP scripts in the context of the web server. This module...

Windows Manage PXE Exploit Server

This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing a payload to install metsvc, disable the firewall, and add a new user metasploit on any Windows partition seen, and add a uid...

PXE Boot Exploit Server

This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing a payload to install metsvc, disable the firewall, and add a new user metasploit on any Windows partition seen, and add a uid...

WordPress Photo Gallery Unrestricted File Upload

Photo Gallery Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the photo-gallery\photo-gallery.php script allows access to filemanager\UploadHandler.php. The post method in UploadHandler.php does not properly verify or...

Android Browser RCE Through Google Play Store XFO

This module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting UXSS vulnerability present in versions of Android's open source stock browser the AOSP Browser prior to 4.4. Second, th...

Achat Unicode SEH Buffer Overflow

This module exploits a Unicode SEH buffer overflow in Achat. By sending a crafted message to the default port 9256/UDP, it's possible to overwrite the SEH handler. Even when the exploit is reliable, it depends on timing since there are two threads overflowing the stack in the same time. This modu...

Windows File Gather File from Raw NTFS

This module gathers a file using the raw NTFS device, bypassing some Windows restrictions such as open file with write lock. Because it avoids the usual file locking issues, it can be used to retrieve files such as NTDS.dit. This module requires Metasploit: https://metasploit.com/download Current...

MySQL Login Utility

This module simply queries the MySQL instance for a specific user/pass default is root with blank. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...

X360 VideoPlayer ActiveX Control Buffer Overflow

This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the X360 Software. By setting an overly long value to 'ConvertFile', an attacker can overrun a .data buffer to bypass ASLR/DEP and finally execute arbitrary code. This module requires Metasploit:...

MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection

This module exploits a universal cross-site scripting UXSS vulnerability found in Internet Explorer 10 and 11. By default, you will steal the cookie from TARGETURI which cannot have X-Frame-Options or it will fail. You can also have your own custom JavaScript by setting the CUSTOMJS option. Lastl...

WordPress Pixabay Images PHP Code Upload

This module exploits multiple vulnerabilities in the WordPress plugin Pixabay Images 2.3.6. The plugin does not check the host of a provided download URL which can be used to store and execute malicious PHP code on the system. This module requires Metasploit: https://metasploit.com/download Curre...

Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution

This module exploits a vulnerability in the update functionality of Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes Anti-Exploit consumer 1.03.1.1220. Due to the lack of proper update package validation, a man-in-the-middle MITM attacker could execute arbitrary code by spoofing t...

MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape

This module abuses a process creation policy in Internet Explorer's sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the Protected Mode and execute code with Medium Integrity. At the moment, this...

WordPress Platform Theme File Upload Vulnerability

The WordPress Theme "platform" contains a remote code execution vulnerability through an unchecked admininit call. The theme includes the uploaded file from its temp filename with php's include function. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Gather User Credentials (phishing)

This module is able to perform a phishing attack on the target by popping up a loginprompt. When the user fills credentials in the loginprompt, the credentials will be sent to the attacker. The module is able to monitor for new processes and popup a loginprompt when a specific process is starting...

WordPress XMLRPC GHOST Vulnerability Scanner

This module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the WordPress XMLRPC interface. If the target is vulnerable, the system will segfault and return a server error. On patched systems, a normal XMLRPC error is returned. This module requires Metasploit:...

Windows Escalate Golden Ticket

This module will create a Golden Kerberos Ticket using the Mimikatz Kiwi Extension. If no options are applied it will attempt to identify the current domain, the domain administrator account, the target domain SID, and retrieve the krbtgt NTLM hash from the database. By default the well-known...

ManageEngine Multiple Products Arbitrary Directory Listing

This module exploits a directory listing information disclosure vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It makes a recursive listing, so it will list the whole drive if you ask it to list / in Linux or C:\ in Windows. This vulnerabilit...

ManageEngine Multiple Products Arbitrary File Download

This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This module will attempt to login using th...

MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference

A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys can allow a local attacker to trigger a NULL pointer dereference by using a specially crafted IOCTL. This flaw can be abused to elevate privileges to SYSTEM. This module requires Metasploit: https://metasploit.com/download...

Windows Run Command As User

This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default. Unless targeting a local user either set the DOMAIN, or specify a UPN user format e.g. user@domain. This uses the CreateProcessWithLogonW WinAPI...

Multi Gather RubyGems API Key

This module obtains a user's RubyGems API key from /.gem/credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather RubyGems API Key', 'Description' = %q This module obtains a...

Huawei Datacard Information Disclosure Vulnerability

This module exploits an unauthenticated information disclosure vulnerability in Huawei SOHO routers. The module will gather information by accessing the /api pages where authentication is not required, allowing configuration changes as well as information disclosure, including any stored SMS. Thi...

McAfee Virus Scan Enterprise Password Hashes Dump

This module extracts the password hash from McAfee Virus Scan Enterprise VSE used to lock down the user interface. Hashcat supports cracking this type of hash using hash type sha1$salt.unicode$pass -m 140 and a hex salt --hex-salt of 01000f000d003300 unicode "\x01\x0f\x0d\x33". A dynamic format i...

Authentication Capture: SMB

This module provides a SMB service that can be used to capture the challenge-response password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems. Responses sent by this service by default use a random 8 byte challenge string. A specific value such as 1122334455667788 can be set...

GetGo Download Manager HTTP Response Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in GetGo Download Manager version 5.3.0.2712 earlier, caused by an overly long HTTP response header. By persuading the victim to download a file from a malicious server, a remote attacker could execute arbitrary code on the system o...

McAfee ePolicy Orchestrator Authenticated XXE Credentials Exposure

This module will exploit an authenticated XXE vulnerability to read the keystore.properties off of the filesystem. This properties file contains an encrypted password that is set during installation. What is interesting about this password is that it is set as the same password as the database 's...

Memcached Extractor

This module extracts the slabs from a memcached instance. It then finds the keys and values stored in those slabs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Memcached Extractor',...

Apple Airport ACPP Authentication Scanner

This module attempts to authenticate to an Apple Airport using its proprietary and largely undocumented protocol known only as ACPP. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require...

WordPress WP EasyCart Unrestricted File Upload

WordPress Shopping Cart WP EasyCart Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /inc/amfphp/administration/banneruploaderscript.php script does not properly verify or sanitize user-uploaded files. By uploading a .p...

Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool

The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager CDM, before version 10, doesn't implement access control properly, which allows remote attackers to modify user information. This module exploits the vulnerability to make unauthorized speed dial entity...

Viproy CUCDM IP Phone XML Services - Call Forwarding Tool

The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager CDM 10 does not properly implement access control, which allows remote attackers to modify user information. This module exploits the vulnerability to configure unauthorized call forwarding. This module require...

WordPress WP Symposium 14.11 Shell Upload

WP Symposium Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /wp-symposium/server/fileuploadform.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will pla...

ManageEngine Desktop Central Administrator Account Creation

This module exploits an administrator account creation vulnerability in Desktop Central from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in several versions of Desktop Central including MSP from v7 onwards. This module requires Metasploit:...

WordPress Long Password DoS

WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service CPU consumption via a long password that is improperly handled during hashing. This module requires Metasploit: https://metasploit.com/download Current source:...

ManageEngine Multiple Products Authenticated File Upload

This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk, AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts the upload does not handle correctly '../' sequences, which can be abused to write to the file system. Authentication ...

MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check

On Windows, the system call NtApphelpCacheControl the code is actually in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to...

Malicious Git and Mercurial HTTP Server For CVE-2014-9390

This module exploits CVE-2014-9390, which affects Git versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1 and Mercurial versions less than 3.2.3 and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be...

Reflective DLL Injection, Hidden Bind Ipknock TCP Stager

Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appear as...

VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager

Inject a VNC Dll via a reflective loader staged. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket wil...

Windows Inject DLL, Hidden Bind Ipknock TCP Stager

Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will...

Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager

Inject the meterpreter server DLL staged. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appea...

Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping...

Windows Upload/Execute, Hidden Bind Ipknock TCP Stager

Uploads an executable and runs it staged. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The socket will appea...