OSX Gather Autologin Password as Root

This module will steal the plaintext password of any user on the machine with autologin enabled. Root access is required. When a user has autologin enabled System Preferences - Accounts, OSX stores their password with an XOR encoding in /private/etc/kcpassword. This module requires Metasploit:...

vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection

This module exploits a SQL injection vulnerability found in vBulletin 5 that has been used in the wild since March 2013. This module uses the sqli to extract the web application's usernames and hashes. With the retrieved information tries to log into the admin control panel in order to deploy the...

vBulletin Password Collector via nodeid SQL Injection

This module exploits a SQL injection vulnerability found in vBulletin 5 that has been used in the wild since March 2013. This module can be used to extract the web application's usernames and hashes, which could be used to authenticate into the vBulletin admin control panel. This module requires...

Windows Escalate UAC Protection Bypass (In Memory Injection)

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binari...

Windows Gather Skype, Firefox, and Chrome Artifacts

Gathers Skype chat logs, Firefox history, and Chrome history data from the target machine. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'csv' class MetasploitModule 'Windows Gather Skype, Firefox, and Chrom...

Ruby on Rails Action View MIME Memory Exhaustion

This module exploits a Denial of Service DoS condition in Action View that requires a controller action. By sending a specially crafted content-type header to a Rails application, it is possible for it to store the invalid MIME type, and may eventually consume all memory if enough invalid MIMEs a...

Windows Manage Proxy PAC File

This module configures Internet Explorer to use a PAC proxy file. By using the LOCALPAC option, a PAC file will be created on the victim host. It's also possible to provide a remote PAC file REMOTEPAC option by providing the full URL. This module requires Metasploit: https://metasploit.com/downlo...

Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability

This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. This module was created as an exercise in the Metasploi...

Cisco ASA ASDM Bruteforce Login Utility

This module scans for Cisco ASA ASDM web login portals and performs login brute force to identify valid credentials...

Cisco Prime Data Center Network Manager Arbitrary File Upload

This module exploits a code execution flaw in Cisco Data Center Network Manager. The vulnerability exists in processImageSave.jsp, which can be abused through a directory traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss application server feature is used to...

ZyXEL GS1510-16 Password Extractor

This module exploits a vulnerability in ZyXEL GS1510-16 routers to extract the admin password. Due to a lack of authentication on the webctrl.cgi script, unauthenticated attackers can recover the administrator password for these devices. The vulnerable device has reached end of life for support...

ABB MicroSCADA wserver.exe Remote Code Execution

This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe component, which allows arbitrary commands. The component is disabled by default, but required when a project uses the SCI...

Oracle ILO Manager Login Brute Force Utility

This module scans for Oracle Integrated Lights Out Manager ILO login portal, and performs a login brute force attack to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModul...

Chargen Probe Utility

Chargen is a debugging and measurement tool and a character generator service. A character generator service simply sends data without regard to the input. Chargen is susceptible to spoofing the source of transmissions as well as use in a reflection attack vector. The misuse of the testing featur...

Kimai v0.9.2 'db_restore.php' SQL Injection

This module exploits a SQL injection vulnerability in Kimai version 0.9.2.x. The 'dbrestore.php' file allows unauthenticated users to execute arbitrary SQL queries. This module writes a PHP payload to disk if the following conditions are met: The PHP configuration must have 'displayerrors' enable...

Ruby on Rails JSON Processor Floating Point Heap Overflow DoS

When Ruby attempts to convert a string representation of a large floating point decimal number to its floating point equivalent, a heap-based buffer overflow can be triggered. This module has been tested successfully on a Ruby on Rails application using Ruby version 1.9.3-p448 with WebRick and Th...

MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access

This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code user controlled it's possible to dereference arbitrary memo...

OpenMind Message-OS Portal Login Brute Force Utility

This module scans for OpenMind Message-OS provisioning web login portal, and performs a login brute force attack to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow

This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value...

Apache Roller OGNL Injection

This module exploits an OGNL injection vulnerability in Apache Roller 'Apache Roller OGNL Injection', 'Description' = %q This module exploits an OGNL injection vulnerability in Apache Roller 'Unknown', From coverity.com / Vulnerability discovery 'juan vazquez' Metasploit module , 'License' =...

ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload

This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to v8 build 80293. A malicious user can upload a JSP file into the web root without authentication, leading to arbitrary code execution as SYSTEM. This module requires Metasploit: https://metasploit.com/download...

Kaseya uploadImage Arbitrary File Upload

This module exploits an arbitrary file upload vulnerability found in Kaseya versions below 6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous authentication, leading to arbitrary code execution with IUSR privileges. This module requires Metasploit:...

Gzip Memory Bomb Denial Of Service

This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB. Many applications will not implement a length limit check and will eat up all memory and eventually die. This can also be used to kill systems that download/parse content from a user-provided URL...

MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow

This module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field,...

Windows Enumerate LSA Secrets

This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is: HKEYLOCALMACHINE\Security\Policy\Secrets\. Thanks goes to Maurizio Agazzini and Mubix for decrypt code from cachedump. This module requires Metasploit: https://metasploit.com/download...

OSX Screen Capture

This module takes screenshots of target desktop and automatically downloads them. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OSX Screen Capture', 'Description' = %q This module takes...

OSX Network Share Mounter

This module lists saved network shares and tries to connect to them using stored credentials. This does not require root privileges. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OSX Network...

OSX VPN Manager

This module lists VPN connections and tries to connect to them using stored credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OSX VPN Manager', 'Description' = %q This module lists V...

Windows SYSTEM Escalation via KiTrap0D

This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows. This module requires Metasploit:...

Wordpress Scanner

Detects Wordpress Versions, Themes, Plugins, and Users This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Wordpress Scanner', 'Description' = 'Detects Wordpress Versions, Themes, Plugins, and...

Symantec Altiris DS SQL Injection

This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8 to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell, several SQL injections are...

Typo3 Login Bruteforcer

This module attempts to bruteforce Typo3 logins. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Typo3 Login Bruteforcer', 'Description' = 'This module attempts to bruteforce Typo3 logins.',...

Supermicro Onboard IPMI close_window.cgi Buffer Overflow

This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web interface. The vulnerability exists on the closewindow.cgi CGI application, and is due to the insecure usage of strcpy. In order to get a session, the module will execute system from libc with an arbitrary CMD...

Windows Gather Active Directory User Comments

This module will enumerate user accounts in the default Active Domain AD directory which contain 'pass' in their description or comment case-insensitive by default. In some cases, such users have their passwords specified in these fields. This module requires Metasploit:...

VICIdial Manager Send OS Command Injection

The file agc/managersend.php in the VICIdial web application uses unsanitized user input as part of a command that is executed using the PHP passthru function. A valid username, password and session are needed to access the injection point. Fortunately, VICIdial has two built-in accounts with...

Supermicro Onboard IPMI CGI Vulnerability Scanner

This module checks for known vulnerabilities in the CGI applications of Supermicro Onboard IPMI controllers. These issues currently include several unauthenticated buffer overflows in the login.cgi and closewindow.cgi components. This module requires Metasploit: https://metasploit.com/download...

Supermicro Onboard IPMI Static SSL Certificate Scanner

This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI controllers. An attacker with access to the publicly-available firmware can perform man-in-the-middle attacks and offline decryption of communication to the controller. This module has been on a Supermicro Onboar...

Supermicro Onboard IPMI url_redirect.cgi Authenticated Directory Traversal

This module abuses a directory traversal vulnerability in the urlredirect.cgi application accessible through the web interface of Supermicro Onboard IPMI controllers. The vulnerability is present due to a lack of sanitization of the urlname parameter. This allows an attacker with a valid, but not...

Byte XORi Encoder

Mips Web server exploit friendly xor encoder. This encoder has been found useful on situations where '&' 0x26 is a badchar. Since 0x26 is the xor's opcode on MIPS architectures, this one is based on the xori instruction. This module requires Metasploit: https://metasploit.com/download Current...

Byte XORi Encoder

Mips Web server exploit friendly xor encoder. This encoder has been found useful on situations where '&' 0x26 is a badchar. Since 0x26 is the xor's opcode on MIPS architectures, this one is based on the xori instruction. This module requires Metasploit: https://metasploit.com/download Current...

Openbravo ERP XXE Arbitrary File Read

The Openbravo ERP XML API expands external entities which can be defined as local files. This allows the user to read any files from the FS as the user Openbravo is running as generally not root. This module was tested against Openbravo ERP version 3.0MP25 and 2.50MP6. This module requires...

Zabbix Authenticated Remote Command Execution

ZABBIX allows an administrator to create scripts that will be run on hosts. An authenticated attacker can create a script containing a payload, then a host with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host. This module was tested against Zabbix v2.0.9, v2.0.5, v3.0.1, v4.0.1...

vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution

vTiger CRM allows an authenticated user to upload files to embed within documents. Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP script and execute arbitrary PHP code remotely. This module was tested against vTiger CRM v5.4.0 and v5.3.0. This module...

Moodle Remote Command Execution

Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the...

OpenMediaVault Cron Remote Command Execution

OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system. An attacker can abuse this to run arbitrary commands as any user available on the system including root. This module requires Metasploit: https://metasploit.com/download Current source:...

NAS4Free Arbitrary Remote Code Execution

NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have the code executed remotely. This module was successfully tested against NAS4Free version 9.1.0.1.804. Earlier builds are likely to be vulnerable as well. This module requires Metasploit:...

ISPConfig Authenticated Arbitrary PHP Code Execution

ISPConfig allows an authenticated administrator to export language settings into a PHP script which is intended to be reuploaded later to restore language settings. This feature can be abused to run aribitrary PHP code remotely on the ISPConfig server. This module was tested against version...

ProcessMaker Open Source Authenticated PHP Code Execution

This module exploits a PHP code execution vulnerability in the 'neoclassic' skin for ProcessMaker Open Source which allows any authenticated user to execute PHP code. The vulnerable skin is installed by default in version 2.x and cannot be removed via the web interface. This module requires...

Beetel Connection Manager NetConfig.ini Buffer Overflow

This module exploits a stack-based buffer overflow in Beetel Connection Manager. The vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini file. The module has been tested successfully against version PCWBTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1. This module...

NETGEAR ReadyNAS Perl Code Evaluation

This module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The vulnerability exists on the web front end, specifically in the nphandler.pl component, due to an insecure usage of the eval perl function. This module has been tested successfully on a NETGEAR ReadyNAS 4.2.23...