Drupal OpenID External Entity Injection

This module abuses an XML External Entity Injection vulnerability on the OpenID module from Drupal. The vulnerability exists in the parsing of a malformed XRDS file coming from a malicious OpenID endpoint. This module has been tested successfully on Drupal 7.15 and 7.2 with the OpenID module...

Windows Gather Active Directory Service Principal Names

This module will enumerate servicePrincipalName in the default AD directory where the user is a member of the Domain Admins group. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather...

Adobe Flash Player Regular Expression Heap Overflow

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.5.502.149. By supplying a specially crafted swf file with special regex value, it is possible to trigger a memory corruption, which results in remote code execution under the context of the user, a...

IBM Lotus Sametime WebPlayer DoS

This module exploits a known flaw in the IBM Lotus Sametime WebPlayer version 8.5.2.1392 and prior to cause a denial of service condition against specific users. For this module to function the target user must be actively logged into the IBM Lotus Sametime server and have the Sametime Audio Visu...

HP Data Protector Backup Client Service Directory Traversal

This module exploits a directory traversal vulnerability in the Hewlett-Packard Data Protector product. The vulnerability exists in the Backup Client Service OmniInet.exe and is triggered when parsing packets with opcode 42. This module has been tested successfully on HP Data Protector 6.20 on...

Printer Environment Variables Scanner

This module scans for printer environment variables using the Printer Job Language PJL protocol. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require "rex/proto/pjl" class MetasploitModule "Printer Environment...

Linux Command Shell, Reverse TCP Stager

Spawn a command shell staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 272 include Msf::Payload::Stager def initializeinfo = supermergeinfoinfo,...

Linux Meterpreter, Reverse TCP Stager

Inject the mettle server payload staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 272 include Msf::Payload::Stager def initializeinfo =...

Linux Command Shell, Reverse TCP Stager

Spawn a command shell staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 272 include Msf::Payload::Stager def initializeinfo = supermergeinfoinfo,...

Linux Meterpreter, Reverse TCP Stager

Inject the mettle server payload staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 272 include Msf::Payload::Stager def initializeinfo =...

Windows Gather Enum User MUICache

This module gathers information about the files and file paths that logged on users have executed on the system. It also will check if the file still exists on the system. This information is gathered by using information stored under the MUICache registry key. If the user is logged in when the...

SerComm Network Device Backdoor Detection

This module can identify SerComm manufactured network devices which contain a backdoor, allowing command injection or account disclosure. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SerComm...

SerComm Device Configuration Dump

This module will dump the configuration of several SerComm devices. These devices typically include routers from NetGear and Linksys. This module was tested successfully against the NetGear DG834 series ADSL modem router. This module requires Metasploit: https://metasploit.com/download Current...

Printer Volume Listing Scanner

This module lists the volumes on a set of printers using the Printer Job Language PJL protocol. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require "rex/proto/pjl" class MetasploitModule "Printer Volume Listing...

Printer Version Information Scanner

This module scans for printer version information using the Printer Job Language PJL protocol. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require "rex/proto/pjl" class MetasploitModule "Printer Version Informatio...

Printer File Download Scanner

This module downloads a file from a set of printers using the Printer Job Language PJL protocol. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require "rex/proto/pjl" class MetasploitModule "Printer File Download...

Printer Directory Listing Scanner

This module lists a directory on a set of printers using the Printer Job Language PJL protocol. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require "rex/proto/pjl" class MetasploitModule "Printer Directory Listing...

Printer Ready Message Scanner

This module scans for and optionally changes the printer ready message on a set of printers using the Printer Job Language PJL protocol. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require "rex/proto/pjl" class...

SerComm Device Remote Code Execution

This module will cause remote code execution on several SerComm devices. These devices typically include routers from NetGear and Linksys. This module was tested successfully against several NetGear, Honeywell and Cisco devices. This module requires Metasploit: https://metasploit.com/download...

Multi Gather Malware Verifier

This module will check a file for malware on VirusTotal based on the checksum. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/http' require 'uri' class MetasploitModule 'Multi Gather Malware Verifier',...

Linux Command Shell, Bind TCP Inline

Listen for a connection and spawn a command shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 232 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...

Firefox XSS

This module runs the provided SCRIPT as javascript in the origin of the provided URL. It works by navigating to a hidden ChromeWindow to the URL, then injecting the SCRIPT with Function. The callback "sendresult" is used to send data back to the listener. This module requires Metasploit:...

Firefox XPCOM Execute Command

This module runs a shell command on the target OS without touching the disk. On Windows, this command will flash the command prompt momentarily. This can be avoided by setting WSCRIPT to true, which drops a jscript "launcher" to disk that hides the prompt. This module requires Metasploit:...

vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload

vTiger CRM allows a user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on...

Command Shell, Reverse TCP (via Firefox XPCOM script)

Creates an interactive shell via Javascript with access to Firefox's XPCOM API This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include...

Command Shell, Bind TCP (via Firefox XPCOM script)

Creates an interactive shell via Javascript with access to Firefox's XPCOM API This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include...

IcoFX Stack Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in version 2.1 of IcoFX. The vulnerability exists while parsing .ICO files, where a specially crafted ICONDIR header providing an arbitrary long number of images in the file can be used to trigger the overflow when reading the...

IBM Forms Viewer Unicode Buffer Overflow

This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability is due to a dangerous usage of a strcpy-like function, and occurs while parsing malformed XFDL files containing a long fontname value. This module has been tested successfully on IBM Forms Viewer 4.0 on...

IBM Lotus Notes Sametime Room Name Bruteforce

This module bruteforces Sametime meeting room names via the IBM Lotus Notes Sametime web interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'enumerable' class MetasploitModule 'IBM Lotus Notes Sametime...

IBM Lotus Notes Sametime User Enumeration

This module extracts usernames using the IBM Lotus Notes Sametime web interface using either a dictionary attack which is preferred, or a bruteforce attack trying all usernames of MAXDEPTH length or less. This module requires Metasploit: https://metasploit.com/download Current source:...

IBM Lotus Sametime Version Enumeration

This module scans an IBM Lotus Sametime web interface to enumerate the application's version and configuration information. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'uri' class MetasploitModule Release...

RealNetworks RealPlayer Version Attribute Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by improper bounds checking of the version and encoding attributes inside the XML declaration. By persuading the victim to open a specially-crafted .RMP file, a...

Synology DiskStation Manager SLICEUPLOAD Remote Command Execution

This module exploits a vulnerability found in Synology DiskStation Manager DSM versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called...

HP SiteScope issueSiebelCmd Remote Code Execution

This module exploits a code execution flaw in HP SiteScope. The vulnerability exists in the APISiteScopeImpl web service, specifically in the issueSiebelCmd method, which allows the user to execute arbitrary commands without authentication. This module has been tested successfully on HP SiteScope...

OpenSIS 'modname' PHP Code Execution

This module exploits a PHP code execution vulnerability in OpenSIS versions 4.5 to 5.2 which allows any authenticated user to execute arbitrary PHP code under the context of the web-server user. The 'ajax.php' file calls 'eval' with user controlled data from the 'modname' parameter. This module...

Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution

On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an exposedProps property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With...

OSX Gather Safari LastSession.plist

This module downloads the LastSession.plist file from the target machine. LastSession.plist is used by Safari to track active websites in the current session, and sometimes contains sensitive information such as usernames and passwords. This module will first download the original...

Zimbra Collaboration Server LFI

This module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen credentials allow the attacker to make requests to the service/admin/soap API. This can then be used to create an...

Adobe Reader ToolButton Use After Free

This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use aft...

Adobe Reader ToolButton Use After Free

This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use...

Poison Ivy Command and Control Scanner

Enumerate Poison Ivy Command and Control C on ports 3460, 80, 8080 and 443. Adaptation of iTrust Python script. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Poison Ivy Command and Control...

Windows Escalate Service Permissions Local Privilege Escalation

This module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure configuration, file or registry permissions that may be hijacked. It will then attempt to restart th...

Nvidia (nvsvc) Display Driver Service Local Privilege Escalation

The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to interact with the service. It contains a stacked based buffer overflow as a result of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe', the service name is 'nvsvc', and the name...

Windows Manage Driver Loader

This module loads a KMD Kernel Mode Driver using the Windows Service API. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SERVICEDEMANDSTART', 'boot' = 'SERVICEBOOTSTART', 'auto' =...

Multi Manage YouTube Broadcast

This module will broadcast a YouTube video on specified compromised systems. It will play the video in the target machine's native browser. The VID datastore option is the "v" parameter in a YouTube video's URL. Enabling the EMBED option will play the video in full screen mode through a clean...

MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation

This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and...

HP LoadRunner EmulationAdmin Web Service Directory Traversal

This module exploits a directory traversal vulnerability in version 11.52 of HP LoadRunner. The vulnerability exists in the EmulationAdmin web service, specifically in the copyFileToServer method, allowing the upload of arbitrary files. This module has been tested successfully on HP LoadRunner...

Adobe ColdFusion 9 Administrative Login Bypass

Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Due to default settings or misconfiguration, its password can be set to an empty value. This allows an attacker to create a session via the RDS login that can be carried over to th...

Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection

This module exploits a SQL injection vulnerability in the "explorer" action of "miqpolicy" controller of the Red Hat CloudForms Management Engine 5.1 ManageIQ Enterprise Virtualization Manager 5.0 and earlier by changing the password of the target account to the specified password. This module...

Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal

This module exploits a path traversal vulnerability in the "linuxpkgs" action of "agent" controller of the Red Hat CloudForms Management Engine 5.1 ManageIQ Enterprise Virtualization Manager 5.0 and earlier. It uploads a fake controller to the controllers directory of the Rails application with t...