OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the VMWare Fusion application, allowing an unprivileged local user to get root access. This module requires Metasploit: https://metasploit.com/download Curre...

HP Network Node Manager I PMD Buffer Overflow

This module exploits a stack buffer overflow in HP Network Node Manager I NNMi. The vulnerability exists in the pmd service, due to the insecure usage of functions like strcpy and strcat while handling stackoption packets with user controlled data. In order to bypass ASLR this module uses a...

GetSimpleCMS PHP File Upload Vulnerability

This module exploits a file upload vulnerability in GetSimple CMS. By abusing the upload.php file, a malicious authenticated user can upload an arbitrary file, including PHP code, which results in arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Current...

UDP Empty Prober

Detect UDP services that reply to empty probes This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'UDP Empty Prober', 'Description' = 'Detect UDP services that reply to empty probes', 'Author' = 'J...

ManageEngine DeviceExpert User Credentials

This module extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior. This module has been tested successfully on DeviceExpert version 5.9.7 build 5970. This module requires Metasploit: https://metasploit.com/download Current source:...

Phpwiki Ploticus Remote Code Execution

The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via command injection. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Phpwiki Ploticus Remote Code...

Windows Gather Remote Desktop Connection Manager Saved Password Extraction

This module extracts and decrypts saved Microsoft Remote Desktop Connection Manager RDCMan passwords the .RDG files of users. The module will attempt to find the files configured for all users on the target system. Passwords for managed hosts are encrypted by default. In order for decryption of...

Advantech WebAccess dvs.ocx GetColor Buffer Overflow

This module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This module has been tested successfully on Windows XP SP3...

Arris DG950A Cable Modem Wifi Enumeration

This module will extract WEP keys and WPA preshared keys from Arris DG950A cable modems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Arris DG950A Cable Modem Wifi Enumeration', 'Description...

Android Open Source Platform (AOSP) Browser UXSS

This module exploits a Universal Cross-Site Scripting UXSS vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on 'Android Open Source Platform AOSP Browser UXSS', 'Description' = %q This module exploits a Universal Cross-Site Scriptin...

EMC AlphaStor Device Manager Opcode 0x75 Command Injection

This module exploits a flaw within the Device Manager rrobtd.exe. When parsing the 0x75 command, the process does not properly filter user supplied input allowing for arbitrary command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116 with Windows 2003 SP2 and...

ManageEngine Desktop Central StatusUpdate Arbitrary File Upload

This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral v7 to v9 build 90054 including the MSP versions. A malicious user can upload a JSP file into the web root without authentication, leading to arbitrary code execution as SYSTEM. Some early builds of version ...

PostgreSQL Login Utility

This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. Note that passwords may be either plaintext or MD5 formatted hashes. This module requires Metasploit:...

HP System Management Homepage Login Utility

This module attempts to login to HP System Management Homepage using host operating system authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/smh' require...

ManageEngine Eventlog Analyzer Arbitrary File Upload

This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer. The vulnerability exists in the agentUpload servlet which accepts unauthenticated file uploads and handles zip file contents in an insecure way. By combining both weaknesses a remote attacker can achieve remote co...

ARRIS / Motorola SBG6580 Cable Modem SNMP Enumeration Module

This module allows SNMP enumeration of the ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem Gateway. It supports the username and password for the device user interface as well as wireless network keys and information. The default community used is "public". This module requires...

SolarWinds Storage Manager Authentication Bypass

This module exploits an authentication bypass vulnerability in Solarwinds Storage Manager. The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication with specially crafted URLs. After bypassing authentication, is possible to use a file upload function to achieve...

Wing FTP Server Authenticated Command Execution

This module exploits the embedded Lua interpreter in the admin web interface for versions 3.0.0 and above. When supplying a specially crafted HTTP POST request an attacker can use os.execute to execute arbitrary system commands on the target with SYSTEM privileges. This module requires Metasploit...

Linux Gather NetworkManager 802-11-Wireless-Security Credentials

This module collects 802-11-Wireless-Security credentials such as Access-Point name and Pre-Shared-Key from Linux NetworkManager connection configuration files. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Railo Remote File Include

This module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable line in thumbnail.cfm allows an attacker to download an arbitrary PNG file. By appending a .cfm, and taking advantage of a directory traversal, an attacker can append...

Desktop Linux Password Stealer and Privilege Escalation

This module steals the user password of an administrative user on a desktop Linux system when it is entered for unlocking the screen or for doing administrative actions using PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password. It exploits the design weakness...

Firefox WebIDL Privileged Javascript Injection

This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require...

SSDP ssdp:all M-SEARCH Amplification Scanner

Discover SSDP amplification possibilities This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SSDP ssdp:all M-SEARCH Amplification Scanner', 'Description' = 'Discover SSDP amplification...

Apple TV Image Remote Control

This module will show an image on an AppleTV device for a period of time. Some AppleTV devices are actually password-protected, in that case please set the PASSWORD datastore option. For password brute forcing, please see the module auxiliary/scanner/http/appletvlogin. This module requires...

AppleTV AirPlay Login Utility

This module attempts to authenticate to an AppleTV service with the username, 'AirPlay'. The device has two different access control modes: OnScreen and Password. The difference between the two is the password in OnScreen mode is numeric-only and four digits long, which means when this option is...

Apple TV Video Remote Control

This module plays a video on an AppleTV device. Note that AppleTV can be somewhat picky about the server that hosts the video. Tested servers include default IIS, default Apache, and Ruby's WEBrick. For WEBrick, the default MIME list may need to be updated, depending on what media file is to be...

GDB Server Remote Payload Execution

This module attempts to execute an arbitrary payload on a loose gdbserver service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'GDB Server Remote Payload Execution', 'Description' = %q This...

ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection

This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet, which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and Password Manager Pro v6 build 6500 to v7 build 7002 including the MSP versions. The SQL injection can be used to achieve remot...

IP Board Login Auxiliary Module

This module attempts to validate user provided credentials against an IP Board web application. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/loginscanner/ipboard' require...

GlassFish Brute Force Utility

This module attempts to login to GlassFish instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. It will also try to do an authentication bypass against older versions of GlassFish. Note: by default, GlassFish 4.0 requires HTTPS, which...

HybridAuth install.php PHP Code Execution

This module exploits a PHP code execution vulnerability in HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php' is not removed after installation allowing unauthenticated users to write PHP code to the application configuration file 'config.php'. Note: This exploit will overwrite th...

Firefox toString console.time Privileged Javascript Injection

This exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome:// privileges. This module requires Metasploit: https://metasploit.com/download Current source:...

VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation

A vulnerability within the VBoxGuest driver allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile on Windows XP SP3 system...

VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution

VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated OS Command injection in the web interface. Use reverse payloads for the most reliable results. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic...

Yokogawa BKBCopyD.exe Client

This module allows an unauthenticated user to interact with the Yokogawa CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR operations. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

VirtualBox 3D Acceleration Virtual Machine Escape

This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a sequence of specially crafted rendering messages, a virtual machine can exploit an out of bounds array access to corrupt...

NTP Mode 6 REQ_NONCE DRDoS Scanner

This module identifies NTP servers which permit mode 6 REQNONCE requests that can be used to conduct DRDoS attacks. In some configurations, NTP servers will respond to REQNONCE requests with a response larger than the request, allowing remote attackers to cause a distributed, reflected denial of...

NTP Mode 7 PEER_LIST_SUM DoS Scanner

This module identifies NTP servers which permit "PEERLISTSUM" queries and return responses that are larger in size or greater in quantity than the request, allowing remote attackers to cause a distributed, reflected denial of service aka, "DRDoS" or traffic amplification via spoofed requests. Thi...

NTP Mode 7 GET_RESTRICT DRDoS Scanner

This module identifies NTP servers which permit "reslist" queries and obtains the list of restrictions placed on various network interfaces, networks or hosts. The reslist feature allows remote attackers to cause a distributed, reflected denial of service aka, "DRDoS" or traffic amplification via...

NTP Mode 7 PEER_LIST DoS Scanner

This module identifies NTP servers which permit "PEERLIST" queries and return responses that are larger in size or greater in quantity than the request, allowing remote attackers to cause a distributed, reflected denial of service aka, "DRDoS" or traffic amplification via spoofed requests. This...

NTP Mode 6 UNSETTRAP DRDoS Scanner

This module identifies NTP servers which permit mode 6 UNSETTRAP requests that can be used to conduct DRDoS attacks. In some configurations, NTP servers will respond to UNSETTRAP requests with multiple packets, allowing remote attackers to cause a distributed, reflected denial of service aka,...

Wordpress XMLRPC DoS

Wordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 3.8.4 and 3.7.4 are also patched. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Gitlab-shell Code Execution

This module takes advantage of the addition of authorized ssh keys in the gitlab-shell functionality of Gitlab. Versions of gitlab-shell prior to 1.7.4 used the ssh key provided directly in a system call resulting in a command injection vulnerability. As this relies on adding an ssh key to an...

Wordpress XML-RPC Username/Password Login Scanner

This module attempts to authenticate against a Wordpress-site via XMLRPC using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. This module requires Metasploit: https://metasploit.com/download Current source:...

Linux Gather Gnome-Commander Creds

This module collects the clear text passwords stored by Gnome-commander, a GUI file explorer for GNOME. Typically, these passwords are stored in the user's home directory, at /.gnome-commander/connections. This module requires Metasploit: https://metasploit.com/download Current source:...

MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation

A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently callin...

Perl Command Encoder

This encoder uses perl to avoid commonly restricted characters. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Perl Command Encoder', 'Description' = %q This encoder uses perl to avoid commonl...

Echo Command Encoder

This encoder uses echo and backlash escapes to avoid commonly restricted characters. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Echo Command Encoder', 'Description' = %q This encoder uses...

MQAC.sys Arbitrary Write Privilege Escalation

A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process. This module requires Metasploit: https://metasploit.com/download Current source:...

JBoss JMX Console Beanshell Deployer WAR Upload and Deployment

This module can be used to install a WAR file payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:BSHDeployer's createScriptDeployment method. This module requires Metasploit: https://metasploit.com/download Current...