6843 matches found
Yokogawa CS3000 BKESimmgr.exe Buffer Overflow
This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the BKESimmgr.exe service when handling specially crafted packets, due to an insecure usage of memcpy, using attacker controlled data as the size count. This module has been tested successfully in...
F5 BIG-IP Backend Cookie Disclosure
This module identifies F5 BIG-IP load balancers and leaks backend information pool name, routed domain, and backend servers' IP addresses and ports through cookies inserted by the BIG-IP systems. This module requires Metasploit: https://metasploit.com/download Current source:...
Adobe Flash Player Integer Underflow Remote Code Execution
This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an integer underflow in several avm2 instructions, which can be turned into remote code execution under the context of th...
Apache Struts ClassLoader Manipulation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 1.x 'Apache Struts ClassLoader Manipulation Remote Code Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions 1.x = 1.3.10 and 2.x 2.3.16.2. In...
AlienVault OSSIM SQL Injection and Remote Code Execution
This module exploits an unauthenticated SQL injection vulnerability affecting AlienVault OSSIM versions 4.3.1 and lower. The SQL injection issue can be abused in order to retrieve an active admin session ID. If an administrator level user is identified, remote code execution can be gained by...
Adobe Flash Player Type Confusion Remote Code Execution
This module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Window...
Wireshark wiretap/mpeg.c Stack Buffer Overflow
This module triggers a stack buffer overflow in Wireshark 'Wireshark wiretap/mpeg.c Stack Buffer Overflow', 'Description' = %q This module triggers a stack buffer overflow in Wireshark MSFLICENSE, 'Author' = 'Wesley Neelen', Discovery vulnerability 'j0sm1', Exploit and msf module , 'References' =...
Mac OS X NFS Mount Privilege Escalation Exploit
This exploit leverages a stack buffer overflow vulnerability to escalate privileges. The vulnerable function nfsconvertoldnfsargs does not verify the size of a user-provided argument before copying it to the stack. As a result, by passing a large size as an argument, a local user can overwrite th...
Multiplatform WLAN Enumeration and Geolocation
Enumerate wireless networks visible to the target device. Optionally geolocate the target by gathering local wireless networks and performing a lookup against Google APIs. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framewo...
Cisco SSL VPN Bruteforce Login Utility
This module scans for Cisco SSL VPN web login portals and performs login brute force to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco SSL VPN Bruteforce Logi...
MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
This module exploits an use after free condition on Internet Explorer as used in the wild as part of "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to bypass ASLR and DEP. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Manage Change Password
This module will attempt to change the password of the targeted account. The typical usage is to change a newly created account's password on a remote host to avoid the error, 'System error 1907 has occurred,' which is caused when the account policy enforces a password change before the next logi...
Firefox Gather History from Privileged Javascript Shell
This module allows collection of the entire browser history from a Firefox Privileged Javascript Shell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'json' class MetasploitModule 'Firefox Gather History fro...
Firefox Gather Passwords from Privileged Javascript Shell
This module allows collection of passwords from a Firefox Privileged Javascript Shell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'json' class MetasploitModule 'Firefox Gather Passwords from Privileged...
eScan Web Management Console Command Injection
This module exploits a command injection vulnerability found in the eScan Web Management Console. The vulnerability exists while processing CheckPass login requests. An attacker with a valid username can use a malformed password to execute arbitrary commands. With mwconf privileges, the runasroot...
OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
This module provides a fake SSL service that is intended to leak memory from client systems as they connect. This module is hardcoded for using the AES-128-CBC-SHA1 cipher. This module requires Metasploit: https://metasploit.com/download Current source:...
Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution
This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment vulnerability that allows an unprivileged authenticated user to change the administrator's password hash, the...
MS14-017 Microsoft Word RTF Object Confusion
This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a listoverridecount field can be modified to treat one structure as another. This bug was originally seen being exploited in the wild starting in...
Oracle Demantra Database Credentials Leak
This module exploits a database credentials leak found in Oracle Demantra 12.2.1 in combination with an authentication bypass. This way an unauthenticated user can retrieve the database name, username and password on any vulnerable machine. This module requires Metasploit:...
WinRAR Filename Spoofing
This module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from the central directory, but the file names used to extract and open contents come from the Local File Header. This...
Fritz!Box Webcm Unauthenticated Command Injection
Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection. This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270, 7170 Annex A A/CH, 7170 Annex B English, 7170...
Vtiger Install Unauthenticated Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the Vtiger install script. This module is set to ManualRanking due to this module overwriting the target database configuration, which may result in a broken web app, and you may not be able to get a session again. This module...
AlienVault Authenticated SQL Injection Arbitrary File Read
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG generation PHP file. This module exploits this to read an arbitrary file from the file system. Any authenticated user is able to exploit it, as administrator privileges aren't required. This module requires...
EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack that allows an attacker to read arbitrary files from the file system with the permissions of the root user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
HTTP Header Detection
This module shows HTTP Headers returned by the scanned systems. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Header Detection', 'Description' = %q This module shows HTTP Headers returne...
JIRA Issues Collector Directory Traversal
This module exploits a directory traversal flaw in JIRA 6.0.3. The vulnerability exists in the issues collector code, while handling attachments provided by the user. It can be exploited in Windows environments to get remote code execution. This module has been tested successfully on JIRA 6.0.3...
HP LaserJet Printer SNMP Enumeration
This module allows enumeration of files previously printed. It provides details as filename, client, timestamp and username information. The default community used is "public". This module requires Metasploit: https://metasploit.com/download Current source:...
JBoss Status Servlet Information Gathering
This module queries the JBoss status servlet to collect sensitive information, including URL paths, GET parameters and client IP addresses. This module has been tested against JBoss 4.0, 4.2.2 and 4.2.3. This module requires Metasploit: https://metasploit.com/download Current source:...
The EICAR Encoder
This encoder merely replaces the given payload with the EICAR test string. Note, this is sure to ruin your payload. Any content-aware firewall, proxy, IDS, or IPS that follows anti-virus standards should alert and do what it would normally do when malware is transmitted across the wire. This modu...
Oracle Demantra Arbitrary File Retrieval with Authentication Bypass
This module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By combining these exposures, an unauthenticated user can retrieve any file on the system by referencing the full file path to any file a vulnerable machine. This modul...
Firefox Gather Cookies from Privileged Javascript Shell
This module allows collection of cookies from a Firefox Privileged Javascript Shell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'json' class MetasploitModule 'Firefox Gather Cookies from Privileged...
Linux Execute Command
A very small shellcode for executing commands. This module is sometimes helpful for testing purposes. -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 52 includ...
Linux Execute Command
A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space. -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source:...
Katello (Red Hat Satellite) users/update_roles Missing Authorization
This module exploits a missing authorization vulnerability in the "updateroles" action of "users" controller of Katello and Red Hat Satellite Katello 1.5.0-14 and earlier by changing the specified account to an administrator account. This module requires Metasploit: https://metasploit.com/downloa...
LifeSize UVC Authenticated RCE via Ping
When authenticated as an administrator on LifeSize UVC 1.2.6, an attacker can abuse the ping diagnostic functionality to achieve remote command execution as the www-data user or equivalent. This module requires Metasploit: https://metasploit.com/download Current source:...
FreePBX config.php Remote Code Execution
This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11. It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php" parameters "function" and "args". This module requires Metasploit: https://metasploit.com/download Current source:...
Linux Reboot
A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures. This module requires Metasploit: https://metasploit.com/download Current source:...
SePortal SQLi Remote Code Execution
This module exploits a vulnerability found in SePortal version 2.5. When logging in as any non-admin user, it's possible to retrieve the admin session from the database through SQL injection. The SQL injection vulnerability exists in the "staticpages.php" page. This hash can be used to take over...
MS14-012 Microsoft Internet Explorer TextRange Use-After-Free
This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw was most likely introduced in 2013, therefore only certain builds of MSHTML are affected. In our testing with IE9, these vulnerable builds appear to be between 9.0.8112.16496 and 9.0.8112.16533, which implies...
Horde Framework Unserialize PHP Code Execution
This module exploits a php unserialize vulnerability in Horde 'Horde Framework Unserialize PHP Code Execution', 'Description' = %q This module exploits a php unserialize vulnerability in Horde 'EgiX', Exploitation technique and Vulnerability discovery originally reported by the vendor 'juan...
Loadbalancer.org Enterprise VA SSH Private Key Exposure
Loadbalancer.org ships a public/private key pair on Enterprise virtual appliances version 7.5.2 that allows passwordless authentication to any other LB Enterprise box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. This module requires...
Quantum vmPRO Backdoor Command
This module abuses a backdoor command in Quantum vmPRO. Any user, even one without admin privileges, can get access to the restricted SSH shell. By using the hidden backdoor "shell-escape" command it's possible to drop to a real root bash shell. This module has been tested successfully on Quantum...
Quantum DXi V1000 SSH Private Key Exposure
Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that allows passwordless authentication to any other DXi box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. This module requires Metasploit:...
Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution
This module exploits a default hardcoded private SSH key or default hardcoded login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made by Array Networks. After logged in as the unprivileged user, it's possible to modify the world-writable file /ca/bin/monitor.sh with...
Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read
Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection which allows an attacker to access the database or read arbitrary files as the 'mysql' user. This module will only work if the mysql user Joomla is using to access the database has the LOADFILE permission. This...
Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
This module leverages a kernel pool overflow in Win32k which allows local privilege escalation. The kernel shellcode nulls the ACL for the winlogon.exe process a SYSTEM process. This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. This exploit wa...
Command Shell, Android Reverse HTTPS Stager
Spawn a piped command shell sh. Tunnel communication over HTTPS This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include Msf::Payload::Android...
Android Meterpreter, Android Reverse HTTP Stager
Run a meterpreter server in Android. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include...
Command Shell, Android Reverse HTTP Stager
Spawn a piped command shell sh. Tunnel communication over HTTP This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include Msf::Payload::Android...
Android Meterpreter, Android Reverse HTTPS Stager
Run a meterpreter server in Android. Tunnel communication over HTTPS This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include...