Open Flash Chart v2 Arbitrary File Upload

This module exploits a file upload vulnerability found in Open Flash Chart version 2. Attackers can abuse the 'ofcuploadimage.php' file in order to upload and execute malicious PHP files. This module requires Metasploit: https://metasploit.com/download Current source:...

HP Intelligent Management SOM Account Creation

This module exploits a lack of authentication and access control in HP Intelligent Management, specifically in the AccountService RpcServiceServlet from the SOM component, in order to create a SOM account with Account Management permissions. This module has been tested successfully on HP...

HP Intelligent Management SOM FileDownloadServlet Arbitrary Download

This module exploits a lack of authentication and access control in HP Intelligent Management, specifically in the FileDownloadServlet from the SOM component, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center...

SMB File Delete Utility

This module deletes a file from a target share and path. The usual reason to use this module is to work around limitations in an existing SMB client that may not be able to take advantage of pass-the-hash style authentication. This module requires Metasploit: https://metasploit.com/download Curre...

SMB File Download Utility

This module downloads a file from a target share and path. The usual reason to use this module is to work around limitations in an existing SMB client that may not be able to take advantage of pass-the-hash style authentication. This module requires Metasploit: https://metasploit.com/download...

Node.js HTTP Pipelining Denial of Service

This module exploits a Denial of Service DoS condition in the HTTP parser of Node.js versions released before 0.10.21 and 0.8.26. The attack sends many pipelined HTTP requests on a single connection, which causes unbounded memory allocation when the client does not read the responses. This module...

Jenkins-CI Enumeration

This module enumerates a remote Jenkins-CI installation in an unauthenticated manner, including host operating system and Jenkins installation details. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Some of this code...

Tomcat Application Manager Login Utility

This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'metasploit/framework/credentialcollection' require...

Sun/Oracle GlassFish Server Authenticated Code Execution

This module logs in to a GlassFish Server Open Source or Commercial using various methods such as authentication bypass, default credentials, or user-supplied login, and deploys a malicious war file in order to get remote code execution. It has been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java...

HP Intelligent Management BIMS DownloadServlet Directory Traversal

This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the DownloadServlet from the BIMS component, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management...

HP Intelligent Management Center BIMS UploadServlet Directory Traversal

This module exploits a directory traversal vulnerability on the version 5.2 of the BIMS component from the HP Intelligent Management Center. The vulnerability exists in the UploadServlet, allowing the user to download and upload arbitrary files. This module has been tested successfully on HP...

Interactive Graphical SCADA System Remote Command Injection

This module abuses a directory traversal flaw in Interactive Graphical SCADA System v9.00. In conjunction with the traversal flaw, if opcode 0x17 is sent to the dc.exe process, an attacker may be able to execute arbitrary system commands. This module requires Metasploit:...

EMC Replication Manager Command Execution

This module exploits a remote command-injection vulnerability in EMC Replication Manager client irccd.exe. By sending a specially crafted message invoking RunProgram function an attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected products are EMC Replication Manage...

WebTester 5.x Command Execution

This module exploits a command execution vulnerability in WebTester version 5.x. The 'install2.php' file allows unauthenticated users to execute arbitrary commands in the 'cpusername', 'cppassword' and 'cpdomain' parameters. This module requires Metasploit: https://metasploit.com/download Current...

D-Link DIR-605L Captcha Handling Buffer Overflow

This module exploits an anonymous remote code execution vulnerability on D-Link DIR-605L routers. The vulnerability exists while handling user supplied captcha information, and is due to the insecure usage of sprintf on the getAuthCode function. This module has been tested successfully on D-Link...

Radware AppDirector Bruteforce Login Utility

This module scans for Radware AppDirector's web login portal, and performs login brute force to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Radware AppDirector...

Windows Gather Active Directory Computers

This module will enumerate computers in the default AD directory. Optional Attributes to use in ATTRIBS: objectClass, cn, description, distinguishedName, instanceType, whenCreated, whenChanged, uSNCreated, uSNChanged, name, objectGUID, userAccountControl, badPwdCount, codePage, countryCode,...

Telnet Login Check Scanner

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. This module requires Metasploit:...

Microsoft Windows Authenticated Powershell Command Execution

This module uses a valid administrator username and password to execute a powershell payload using a similar technique to the "psexec" utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the -encodedcommand flag. Using this method, the payloa...

Persistent Payload in Windows Volume Shadow Copy

This module will attempt to create a persistent payload in a new volume shadow copy. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. This module has been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY option, the user shoul...

D-Link User-Agent Backdoor Scanner

This module attempts to find D-Link devices running Alphanetworks web interfaces affected by the backdoor found on the User-Agent header. This module has been tested successfully on a DIR-100 device with firmware version v1.13. This module requires Metasploit: https://metasploit.com/download...

Mac OS X Persistent Payload Installer

This module provides a persistent boot payload by creating a launch item, which can be a LaunchAgent or a LaunchDaemon. LaunchAgents run with user level permissions and are triggered upon login by a plist entry in /Library/LaunchAgents. LaunchDaemons run with elevated privilleges, and are launche...

MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research...

Zabbix 2.0.8 SQL Injection and Remote Code Execution

This module exploits an unauthenticated SQL injection vulnerability affecting Zabbix versions 2.0.8 and lower. The SQL injection issue can be abused in order to retrieve an active session ID. If an administrator level user is identified, remote code execution can be gained by uploading and...

VMware Hyperic HQ Groovy Script-Console Java Execution

This module uses the VMware Hyperic HQ Groovy script console to execute OS commands using Java. Valid credentials for an application administrator user account are required. This module has been tested successfully with Hyperic HQ 4.6.6 on Windows 2003 SP2 and Ubuntu 10.04 systems. This module...

HP Data Protector Cell Request Service Buffer Overflow

This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector product. The vulnerability, due to the insecure usage of swprintf, exists at the Cell Request Service crs.exe when parsing packets with opcode 211. This module has been tested successfully on HP Data Protecto...

Linux Kernel Sendpage Local Privilege Escalation

The Linux kernel failed to properly initialize some entries in the protoops struct for several protocols, leading to NULL being dereferenced and used as a function pointer. By using mmap2 to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits...

Multi Gather Resolve Hosts

Resolves hostnames to either IPv4 or IPv6 addresses from the perspective of the remote host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather Resolve Hosts', 'Description' = %q...

vBulletin Administrator Account Creation

This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This module has been tested successfully on vBulletin 4.1.5 and 4.1.0. This module requires Metasploit: https://metasploit.com/downloa...

Linksys Devices pingstr Remote Command Injection

The Linksys WRT100 and WRT110 consumer routers are vulnerable to a command injection exploit in the ping field of the web interface. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linksys...

Unix Command Shell, Reverse TCP (via nodejs)

Continually listen for a connection and spawn a command shell via nodejs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 3231 include Msf::Payload::Single include...

Command Shell, Bind TCP (via nodejs)

Creates an interactive shell via nodejs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework It would be better to have a commonjs payload, but because the implementations differ so greatly when it comes to require paths f...

Unix Command Shell, Bind TCP (via nodejs)

Continually listen for a connection and spawn a command shell via nodejs This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 2239 include Msf::Payload::Single include...

FlashChat Arbitrary File Upload

This module exploits a file upload vulnerability found in FlashChat versions 6.0.2 and 6.0.4 to 6.0.8. Attackers can abuse the upload feature in order to upload malicious PHP files without authentication which results in arbitrary remote code execution as the web server user. This module requires...

Linux Command Shell, Bind TCP Random Port Inline

Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 51...

GestioIP Remote Command Execution

This module exploits a command injection flaw to create a shell script on the filesystem and execute it. If GestioIP is configured to use no authentication, no password is required to exploit the vulnerability. Otherwise, an authenticated user is required to exploit. This module requires...

ClipBucket Remote Code Execution

This module exploits a vulnerability found in ClipBucket version 2.6 and lower. The script "/adminarea/charts/ofc-library/ofcuploadimage.php" can be used to upload arbitrary code without any authentication. This module has been tested on version 2.6 on CentOS 5.9 32-bit. This module requires...

HP LoadRunner magentproc.exe Overflow

This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. This module requires Metasploit:...

Siemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution

This module exploits the SEListCtrlX ActiveX installed with the Siemens Solid Edge product. The vulnerability exists on several APIs provided by the control, where user supplied input is handled as a memory pointer without proper validation, allowing an attacker to read and corrupt memory from th...

MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The...

freeFTPd PASS Command Buffer Overflow

freeFTPd 1.0.10 and below contains an overflow condition that is triggered as user-supplied input is not properly validated when handling a specially crafted PASS command. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or allow the execution of...

ZeroShell Remote Code Execution

This module exploits a vulnerability found in ZeroShell 2.0 RC2 and lower. It will leverage an unauthenticated local file inclusion vulnerability in the "/cgi-bin/kerbynet" url. The file retrieved is "/var/register/system/ldap/rootpw". This file contains the admin password in cleartext. The...

Windows Management Instrumentation (WMI) Remote Command Execution

This module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that...

PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow

This module exploits a buffer overflow vulnerability found in the STOR command of the PCMAN FTP v2.07 Server when the "/../" parameters are also sent to the server. Please note authentication is required in order to trigger the vulnerability. The overflowing string will also be seen on the FTP...

MS13-069 Microsoft Internet Explorer CCaret Use-After-Free

This module exploits a use-after-free vulnerability found in Internet Explorer, specifically in how the browser handles the caret text cursor object. In IE's standards mode, the caret handling's vulnerable state can be triggered by first setting up an editable page with an input field, and then w...

GLPI install.php Remote Command Execution

This module exploits an arbitrary command execution vulnerability in the GLPI 'install.php' script. This module is set to ManualRanking due to this module overwriting the target database configuration, which may introduce target instability. This module requires Metasploit:...

CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow

This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. This module requires Metasploit: https://metasploit.com/download Current...

MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution

This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows 2003. The vulnerability exists in the handling of the Screen Saver path, in the boot section. An arbitrary path can be used as screen saver, including a remote SMB resource, which allows for remote code...

Astium Remote Code Execution

This module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain admin access. From an admin session arbitrary PHP code upload is possible. It is used to add the final PHP payload to...

Command Shell, Reverse TCP SSL (via nodejs)

Creates an interactive shell via nodejs, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 831 include Msf::Payload::Single include Msf::Payload::NodeJS include...