6845 matches found
Joomla Bruteforce Login Utility
This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Joomla Bruteforce Login Utility', 'Description' = 'This...
Multi Manage DbVisualizer Query
Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases With GUI. The remote database can be accessed from the command line without the need to authenticate, and this module abuses this functionality to query and will store the results. Please note: backslash quot...
Multi Manage DbVisualizer Add Db Admin
Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases With GUI. The remote database can be accessed from the command line without the need to authenticate, which can be abused to create an administrator in the database with the proper database permissions. Note:...
Multi Gather DbVisualizer Connections Settings
DbVisualizer stores the user database configuration in dbvis.xml. This module retrieves the connections settings from this file and decrypts the encrypted passwords. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
WordPress WPTouch Authenticated File Upload
The WordPress WPTouch plugin contains an authenticated file upload vulnerability. A wp-nonce CSRF token is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to...
D-Link info.cgi POST Request Buffer Overflow
This module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is a stack based buffer overflow in the mycgi.cgi component, when handling specially crafted POST HTTP requests addresses to the /common/info.cgi handler. This module has been...
D-Link HNAP Request Remote Buffer Overflow
This module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is due to a stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This module has been successfully tested on D-Link DIR-505 in an...
D-Link Unauthenticated Remote Command Execution using UPnP via a special crafted M-SEARCH packet.
A command injection vulnerability exists in multiple D-Link network products, allowing an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet. Universal Plug and Play UPnP, by default is enabled in most D-Link devices, on the port 1900. An attacker can perform a remote...
Flash "Rosetta" JSONP GET/POST Response Disclosure
A website that serves a JSONP endpoint that accepts a custom alphanumeric callback of 1200 chars can be abused to serve an encoded swf payload that steals the contents of a same-domain URL. Flash 'Flash "Rosetta" JSONP GET/POST Response Disclosure', 'Description' = %q A website that serves a JSON...
Cisco ASA SSL VPN Privilege Escalation Vulnerability
This module exploits a privilege escalation vulnerability for Cisco ASA SSL VPN aka: WebVPN. It allows level 0 users to escalate to level 15. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cis...
Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow
This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the service BKFSimvhfd.exe when using malicious user-controlled data to create logs using functions like vsprintf and memcpy in an insecure way. This module has been tested successfully on Yokogawa...
Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload
The Wordpress plugin "MailPoet Newsletters" wysija-newsletters before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin uses the admininit hook, which is also executed for unauthenticated...
Gitlist Unauthenticated Remote Command Execution
This module exploits an unauthenticated remote command execution vulnerability in version 0.4.0 of Gitlist. The problem exists in the handling of a specially crafted file name when trying to blame it. This module requires Metasploit: https://metasploit.com/download Current source:...
Cerberus FTP Server SFTP Username Enumeration
This module uses a dictionary to brute force valid usernames from Cerberus FTP server via SFTP. This issue affects all versions of the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy in the way the SSH service handles failed logins for valid and invalid users. This issue was...
Oracle Event Processing FileUploadServlet Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability in Oracle Event Processing 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be abused to upload a malicious file onto an arbitrary location due to a directory traversal flaw, and compromise the server. B...
OpenSSL Heartbeat (Heartbleed) Information Leak
This module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable. The module supports several actions, allowing for scanning,...
Windows Gather Skype Saved Password Hash Extraction
This module finds saved login credentials for the Windows Skype client. The hash is in MD5 format that uses the username, a static string "\nskyper\n" and the password. The resulting MD5 is stored in the Config.xml file for the user after being XOR'd against a key generated by applying 2 SHA1...
John the Ripper Postgres SQL Password Cracker
This module uses John the Ripper to attempt to crack Postgres password hashes, gathered by the postgreshashdump module. It is slower than some of the other JtR modules because it has to do some wordlist manipulation to properly handle postgres' format...
HP AutoPass License Server File Upload
This module exploits a code execution flaw in HP AutoPass License Server. It abuses two weaknesses in order to get its objective. First, the AutoPass application doesn't enforce authentication in the CommunicationServlet component. Second, it's possible to abuse a directory traversal when uploadi...
D-Link authentication.cgi Buffer Overflow
This module exploits a remote buffer overflow vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the authentication.cgi with long password values. The vulnerability can be exploitable without authentication. This module has been tested successfull...
D-Link hedwig.cgi Buffer Overflow in Cookie Header
This module exploits an anonymous remote code execution vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with long value cookies. This module has been tested successfully on D-Link DIR300v2.14, DIR600 and the DIR645A1FW103B11...
Chromecast Factory Reset DoS
This module performs a factory reset on a Chromecast, causing a denial of service DoS. No user authentication is required. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Chromecast Factory Res...
Ericom AccessNow Server Buffer Overflow
This module exploits a stack based buffer overflow in Ericom AccessNow Server. The vulnerability is due to an insecure usage of vsprintf with user controlled data, which can be triggered with a malformed HTTP request. This module has been tested successfully with Ericom AccessNow Server 2.4.0.2 o...
AlienVault OSSIM av-centerd Command Injection
This module exploits a code execution flaw in AlienVault 4.6.1 and prior. The vulnerability exists in the av-centerd SOAP web service, where the updatesysteminfodebianpackage method uses perl backticks in an insecure way, allowing command injection. This module has been tested successfully on...
Supermicro Onboard IPMI Port 49152 Sensitive File Exposure
This module abuses a file exposure vulnerability accessible through the web interface on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker to obtain detailed device information and download data files containing the clear-text usernames and passwords for the...
NTP Protocol Fuzzer
A simplistic fuzzer for the Network Time Protocol that sends the following probes to understand NTP and look for anomalous NTP behavior: All possible combinations of NTP versions and modes, even if not allowed or specified in the RFCs Short versions of the above Short, invalid datagrams Full-size...
Firefox Webcam Chat on Privileged Javascript Shell
This module allows streaming a webcam from a privileged Firefox Javascript shell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'json' class MetasploitModule 'Firefox Webcam Chat on Privileged Javascript...
Chromecast YouTube Remote Control
This module acts as a simple remote control for Chromecast YouTube. Only the deprecated DIAL protocol is supported by this module. Casting via the newer CASTV2 protocol is unsupported at this time. This module requires Metasploit: https://metasploit.com/download Current source:...
OpenSSL Server-Side ChangeCipherSpec Injection Scanner
This module checks for the OpenSSL ChangeCipherSpec CCS Injection vulnerability. The problem exists in the handling of early CCS messages during session negotiation. Vulnerable installations of OpenSSL accepts them, while later implementations do not. If successful, an attacker can leverage this...
Rocket Servergraph Admin Center fileRequestor Remote Code Execution
This module abuses several directory traversal flaws in Rocket Servergraph Admin Center for Tivoli Storage Manager. The issues exist in the fileRequestor servlet, allowing a remote attacker to write arbitrary files and execute commands with administrative privileges. This module has been tested...
Easy File Management Web Server Stack Buffer Overflow
Easy File Management Web Server v4.0 and v5.3 contains a stack buffer overflow condition that is triggered as user-supplied input is not properly validated when handling the UserID cookie. This may allow a remote attacker to execute arbitrary code. This module requires Metasploit:...
OpenSSL DTLS Fragment Buffer Overflow DoS
This module performs a Denial of Service Attack against Datagram TLS in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h. This occurs when a DTLS ClientHello message has multiple fragments and the fragment lengths of later fragments are larger than that of the first, a buffer...
MongoDB NoSQL Collection Enumeration Via Injection
This module can exploit NoSQL injections on MongoDB versions less than 2.4 and enumerate the collections available in the data via boolean injections. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Java Debug Wire Protocol Remote Code Execution
This module abuses exposed Java Debug Wire Protocol services in order to execute arbitrary Java code remotely. It just abuses the protocol features, since no authentication is required if the service is enabled. This module requires Metasploit: https://metasploit.com/download Current source:...
Cogent DataHub Command Injection
This module exploits an injection vulnerability in Cogent DataHub prior to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which makes insecure use of the datahubcommand function with user controlled data, allowing execution of arbitrary datahub commands and scripts. This module h...
Command Shell, Reverse TCP (via python)
Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include...
Adobe Reader for Android addJavascriptInterface Exploit
Adobe Reader versions less than 11.2.0 exposes insecure native interfaces to untrusted javascript in a PDF. This module embeds the browser exploit from android/webviewaddjavascriptinterface into a PDF to get a command shell on vulnerable versions of Reader. This module requires Metasploit:...
EtherPAD Duo Login Bruteforce Utility
This module scans for EtherPAD Duo login portal, and performs a login bruteforce attack to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'EtherPAD Duo Login...
ElasticSearch Indices Enumeration Utility
This module enumerates ElasticSearch Indices. It uses the REST API in order to make it...
MS14-009 .NET Deployment Service IE Sandbox Escape
This module abuses a process creation policy in Internet Explorer's sandbox, specifically in the .NET Deployment Service dfsvc.exe, which allows the attacker to escape the Enhanced Protected Mode, and execute code with Medium Integrity. This module requires Metasploit:...
MS13-097 Registry Symlink IE Sandbox Escape
This module exploits a vulnerability in Internet Explorer Sandbox which allows to escape the Enhanced Protected Mode and execute code with Medium Integrity. The vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll component, which can be abused to force medium...
Apache Axis2 Brute Force Utility
This module attempts to login to an Apache Axis2 instance using username and password combinations indicated by the USERFILE, PASSFILE, and USERPASSFILE options. It has been verified to work on at least versions 1.4.1 and 1.6.2. This module requires Metasploit: https://metasploit.com/download...
ElasticSearch Dynamic Script Arbitrary Java Execution
This module exploits a remote command execution RCE vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the REST API, which does not require authentication, where the search function allows dynamic scripts execution. It can be used for remot...
MyBB Database Fingerprint
This module checks if MyBB is running behind an URL. Also uses a malformed query to force an error and fingerprint the backend database used by MyBB on version 1.6.12 and prior. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Gather Applied Patches
This module enumerates patches applied to a Windows system using the WMI query: SELECT HotFixID, InstalledOn FROM Win32QuickFixEngineering. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windo...
Wireshark CAPWAP Dissector DoS
This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a packet correctly when an incorrect length is given. This module requires Metasploit:...
Brocade Password Hash Enumeration
This module extracts password hashes from certain Brocade load balancer devices. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Brocade Password Hash Enumeration', 'Description' = %q This modu...
Netopia 3347 Cable Modem Wifi Enumeration
This module extracts WEP keys and WPA preshared keys from certain Netopia cable modems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Netopia 3347 Cable Modem Wifi Enumeration', 'Description'...
Ubee DDW3611b Cable Modem Wifi Enumeration
This module will extract WEP keys and WPA preshared keys from certain Ubee cable modems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ubee DDW3611b Cable Modem Wifi Enumeration', 'Descriptio...
Symantec Workspace Streaming ManagementAgentServer.putFile XMLRPC Request Arbitrary File Upload
This module exploits a code execution flaw in Symantec Workspace Streaming. The vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the asagent.exe service, which allows for uploading arbitrary files under the server root. This module abuses the auto deploy feature in...