6845 matches found
Gather Steam Server Information
This module uses the A2SINFO request to obtain information from a Steam server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Gather Steam Server Information', 'Description' = %q This module...
Microsoft SQL Server Escalate EXECUTE AS
This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges. This module requires Metasploit: https://metasploit.com/download Current...
Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role everyone can quickly enumerate all SQL Server logins using the SUSERSNAME function...
Tincd Post-Authentication Remote TCP Stack Buffer Overflow
This module exploits a stack buffer overflow in Tinc's tincd service. After authentication, a specially crafted tcp packet default port 655 leads to a buffer overflow and allows to execute arbitrary code. This module has been tested with tinc-1.1pre6 on Windows XP custom calc payload and Windows ...
MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed. The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute o...
ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
ManageEngine Password Manager Pro PMP has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then use his privileges to dump the whole password database in CS...
Visual Mining NetCharts Server Remote Code Execution
This module exploits multiple vulnerabilities in Visual Mining NetCharts. First, a lack of input validation in the administration console permits arbitrary jsp code upload to locations accessible later through the web service. Authentication is typically required, however a 'hidden' user is...
ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure
ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that allow an unauthenticated user to obtain the superuser password of any managed Windows and AS/400 hosts. This module abuses both vulnerabilities to collect all the available usernames and passwords. First th...
Outlook Web App (OWA) Brute Force Utility
This module tests credentials on OWA 2003, 2007, 2010, 2013, and 2016 servers. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Outlook Web App OWA Brute Force Utility', 'Description' = %q This...
Citrix NetScaler SOAP Handler Remote Code Execution
This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance. The vulnerability exists in the SOAP handler, accessible through the web interface. A malicious SOAP requests can force the handler to connect to a malicious NetScaler config server. This malicious config...
Android Open Source Platform (AOSP) Browser UXSS
This module exploits a Universal Cross-Site Scripting UXSS vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on 'Android Open Source Platform AOSP Browser UXSS', 'Description' = %q This module exploits a Universal Cross-Site Scriptin...
Xerox Workcentre 5735 LDAP Service Redential Extractor
This module extract the printer's LDAP username and password from Xerox Workcentre 5735. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Xerox Workcentre 5735 LDAP Service Redential Extractor',...
Konica Minolta Password Extractor
This module will extract FTP and SMB account usernames and passwords from Konica Minolta multifunction printer MFP devices. Tested models include C224, C280, 283, C353, C360, 363, 420, C452, C452, C452, C454e, and C554. This module requires Metasploit: https://metasploit.com/download Current...
Xerox Administrator Console Password Extractor
This module will extract the management console's admin password from the Xerox file system using firmware bootstrap injection. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Xerox Administrat...
Xerox Multifunction Printers (MFP) "Patch" DLM Vulnerability
This module exploits a vulnerability found in Xerox Multifunction Printers MFP. By supplying a modified Dynamic Loadable Module DLM, it is possible to execute arbitrary commands under root privileges. This module requires Metasploit: https://metasploit.com/download Current source:...
GNU Wget FTP Symlink Arbitrary Filesystem Access
This module exploits a vulnerability in Wget when used in recursive -r mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the target's filesystem. To specify content for the file, use the "file:/path" syntax for the TARGETDATA option. Tested successfully with...
tnftp "savefile" Arbitrary Command Execution
This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component...
X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution
This module exploits a post-auth vulnerability found in X7 Chat versions 2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which uses pregreplace function with the /e modifier. This allows a remote authenticated attacker to execute arbitrary PHP code in the remote machine. This...
Microsoft Windows Authenticated Administration Utility
This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the "psexec" utility provided by SysInternals. Daisy chaining commands with '&' does not work and users shouldn't try it. This module is useful because...
Windows TrackPopupMenu Win32k NULL Pointer Dereference
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested...
Western Digital MyBook Live Login Utility
This module simply attempts to login to a Western Digital MyBook Live instance using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...
Jenkins-CI Script-Console Java Execution
This module uses the Jenkins-CI Groovy script console to execute OS commands using Java. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Jenkins-CI Script-Console Java Execution', 'Description'...
Joomla Akeeba Kickstart Unserialize Remote Code Execution
This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba component, which is responsible for Joomla! updates. Nevertheless it is worth to note that this vulnerability is only...
CUPS Filter Bash Environment Variable Code Injection (Shellshock)
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CUPS filters through the PRINTERINFO and PRINTERLOCATION variables. A valid username and password is required to exploit this vulnerability through CUPS. Thi...
SSH User Code Execution
This module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. This module requires Metasploit: https://metasploit.com/download Current source:...
HTTP SSL/TLS Version Detection (POODLE scanner)
Check if an HTTP server supports a given version of SSL/TLS. If a web server can successfully establish an SSLv3 session, it is likely to be vulnerable to the POODLE attack described on October 14, 2014, as a patch against the attack is unlikely...
Microsoft SQL Server SQLi Escalate Db_Owner
This module can be used to escalate SQL Server user privileges to sysadmin through a web SQL Injection. In order to escalate, the database user must to have the dbowner role in a trustworthy database owned by a sysadmin user. Once the database user has the sysadmin role, the mssqlpayloadsqli modu...
MS14-060 Microsoft Windows OLE Package Manager Code Execution
This module exploits a vulnerability found in Windows Object Linking and Embedding OLE allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our...
Drupal HTTP Parameter Key/Value SQL Injection
This module exploits the Drupal HTTP Parameter Key/Value SQL Injection aka Drupageddon in order to achieve a remote shell on the vulnerable instance. This module was tested against Drupal 7.0 and 7.31 was fixed in 7.32. Two methods are available to trigger the PHP payload on the target: - set...
Oracle TNS Listener Checker
This module checks the server for vulnerabilities like TNS Poison. Module sends a server a packet with command to register new TNS Listener and checks for a response indicating an error. If the registration is errored, the target is not vulnerable. Otherwise, the target is vulnerable to malicious...
HP Data Protector EXEC_INTEGUTIL Remote Code Execution
This exploit abuses a vulnerability in the HP Data Protector. The vulnerability exists in the Backup client service, which listens by default on TCP/5555. The EXECINTEGUTIL request allows to execute arbitrary commands from a restricted directory. Since it includes a perl executable, it's possible...
HP Operations Manager Perfd Environment Scanner
This module will enumerate the process list of a remote machine by abusing HP Operation Manager's unauthenticated 'perfd' daemon. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HP Operations...
Buffalo NAS Login Utility
This module simply attempts to login to a Buffalo NAS instance using a specific username and password. It has been confirmed to work on version 1.68 This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require...
HTTP Login Utility
This module attempts to authenticate to an HTTP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require 'metasploit/framework/loginscanner/http' class...
Rejetto HttpFileServer Remote Command Execution
Rejetto HttpFileServer HFS is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP...
BMC / Numara Track-It! Domain Administrator and SQL Server User Password Disclosure
This module exploits an unauthenticated configuration retrieval .NET remoting service in Numara / BMC Track-It! v9 to v11.X, which can be abused to retrieve the Domain Administrator and the SQL server user credentials. This module has been tested successfully on versions 11.3.0.355, 10.0.51.135,...
Numara / BMC Track-It! FileStorageService Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It! v8 to v11.X. The application exposes the FileStorageService .NET remoting service on port 9010 9004 for version 8 which accepts unauthenticated uploads. This can be abused by a malicious user to upload a ASP or...
Centreon SQL and Command Injection
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command injection in the displayServiceStatus.php component, it is possible to execute arbitrary commands as long as there is a valid...
Jenkins-CI Login Utility
This module attempts to login to a Jenkins-CI instance using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...
Linux PolicyKit Race Condition Privilege Escalation
A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. Those vulnerable include RHEL6 prior to...
Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the Pure-FTPd FTP server when it has been compiled with the --with-extauth flag and an external Bash script is used for authentication. If the server is not...
PXE Exploit Server
This module provides a PXE server, running a DHCP and TFTP server. The default configuration loads a linux kernel and initrd into memory that reads the hard drive; placing the payload on the hard drive of any Windows partition seen. Note: the displayed IP address of a target is the address this...
ManageEngine OpManager and Social IT Arbitrary File Upload
This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT. The vulnerability exists in the FileCollector servlet which accepts unauthenticated file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on version 11.0 of SocialIT for Window...
F5 iControl Remote Root Command Execution
This module exploits an authenticated remote command execution vulnerability in the F5 BIGIP iControl API and likely other F5 devices. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "F5 iContro...
WordPress custom-contact-forms Plugin SQL Upload
The WordPress custom-contact-forms plugin 'WordPress custom-contact-forms Plugin SQL Upload', 'Description' = %q The WordPress custom-contact-forms plugin 'Marc-Alexandre Montpas', Vulnerability discovery 'Christian Mehlmauer' Metasploit module , 'License' = MSFLICENSE, 'References' = 'URL',...
Microsoft SQL Server Escalate Db_Owner
This module can be used to escalate privileges to sysadmin if the user has the dbowner role in a trustworthy database owned by a sysadmin user. Once the user has the sysadmin role the msssqlpayload module can be used to obtain a shell on the system. This module requires Metasploit:...
Dhclient Bash Environment Variable Injection (Shellshock)
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment...
DHCP Client Bash Environment Variable Code Injection (Shellshock)
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment...
Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTPUSERAGENT environment variable to a malicious function definition. This module requires Metasploit:...
Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTPUSERAGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler...