MiniWeb (Build 300) Arbitrary File Upload

This module exploits a vulnerability in MiniWeb HTTP server build 300. The software contains a file upload vulnerability that allows an unauthenticated remote attacker to write arbitrary files to the file system. Code execution can be achieved by first uploading the payload to the remote machine ...

OSX Password Prompt Spoof

Presents a password prompt dialog to a logged-in OSX user. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OSX Password Prompt Spoof', 'Description' = %q Presents a password prompt dialog to a...

Joomla Media Manager File Upload Vulnerability

This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module has been...

Chasys Draw IES Buffer Overflow

This module exploits a buffer overflow vulnerability found in Chasys Draw IES version 4.10.01. The vulnerability exists in the module fltBMP.dll, while parsing BMP files, where the ReadFile function is used to store user provided data on the stack in an insecure way. It results in arbitrary code...

Open-FTPD 1.2 Arbitrary File Upload

This module exploits multiple vulnerabilities found in Open FTP server. The software contains an authentication bypass vulnerability and a arbitrary file upload vulnerability that allows a remote attacker to write arbitrary files to the file system as long as there is at least one user who has...

Ultra Mini HTTPD Stack Buffer Overflow

This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21, allowing remote attackers to execute arbitrary code via a long resource name in an HTTP request. This exploit has to deal with the fact that the application's request handler thread is terminated after 60 seconds by a...

HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow

This module exploits a buffer overflow vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage of the sscanf function when parsing login requests. This module has been tested successfully on the HP VSA 9 Virtual Appliance. This...

OpenX Backdoor PHP Code Execution

OpenX Ad Server version 2.8.10 was shipped with an obfuscated backdoor since at least November 2012 through August 2013. Exploitation is simple, requiring only a single request with a rot13'd and reversed payload. This module requires Metasploit: https://metasploit.com/download Current source:...

Firefox onreadystatechange Event DocumentViewerImpl Use After Free

This module exploits a vulnerability found on Firefox 17.0.6, specifically a use after free of a DocumentViewerImpl object, triggered via a specially crafted web page using onreadystatechange events and the window.stop API, as exploited in the wild on 2013 August to target Tor Browser users. This...

Squash YAML Code Execution

This module exploits a remote code execution vulnerability in the YAML request processor of the Squash application. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' class MetasploitModule 'Squash YAML Co...

Python Meterpreter, Python Reverse TCP Stager

Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stage...

Python Meterpreter, Python Bind TCP Stager

Run a meterpreter server in Python compatible with 2.5-2.7 & 3.1+. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager...

D-Link Devices Unauthenticated Remote Command Execution

Various D-Link Routers are vulnerable to OS command injection via the web interface. The vulnerability exists in command.php, which is accessible without authentication. This module has been tested with the versions DIR-600 2.14b01, DIR-300 rev B 2.13. This module requires Metasploit:...

Windows Gather DNS Cache

This module displays the records stored in the DNS cache. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather DNS Cache', 'Description' = %q This module displays the records stored i...

Raidsonic NAS Devices Unauthenticated Remote Command Execution

Different Raidsonic NAS devices are vulnerable to OS command injection via the web interface. The vulnerability exists in timeHandler.cgi, which is accessible without authentication. This module has been tested with the versions IB-NAS5220 and IB-NAS4220. Since this module is adding a new user an...

HP System Management Homepage JustGetSNMPQueue Command Injection

This module exploits a vulnerability found in HP System Management Homepage. By supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue found in ginkgosnmp.inc, which will be used in a exec function. This module requires...

Intrasrv 1.0 Buffer Overflow

This module exploits a boundary condition error in Intrasrv Simple Web Server 1.0. The web interface does not validate the boundaries of an HTTP request string prior to copying the data to an insufficiently sized buffer. Successful exploitation leads to arbitrary remote code execution in the...

D-Link Devices Unauthenticated Remote Command Execution

Various D-Link Routers are vulnerable to OS command injection via the web interface. The vulnerability exists in toolsvct.xgi, which is accessible with credentials. According to the vulnerability discoverer, more D-Link devices may be affected. This module requires Metasploit:...

Gather eCryptfs Metadata

This module will collect the contents of all users' .ecrypts directories on the targeted machine. Collected "wrapped-passphrase" files can be cracked with John the Ripper JtR to recover "mount passphrases". This module requires Metasploit: https://metasploit.com/download Current source:...

PineApp Mail-SeCure livelog.html Arbitrary Command Execution

This module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the livelog.html component, due to the insecure usage of the shellexec php function. This module has been tested successfully on PineApp Mail-SeCure 3.70. This module requires Metasploi...

PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution

This module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the ldapsyncnow.php component, due to the insecure usage of the shellexec php function. This module has been tested successfully on PineApp Mail-SeCure 3.70. This module requires...

PineApp Mail-SeCure test_li_connection.php Arbitrary Command Execution

This module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the testliconnection.php component, due to the insecure usage of the system php function. This module has been tested successfully on PineApp Mail-SeCure 3.70. This module requires...

Ruby on Rails Known Secret Session Cookie Remote Code Execution

This module implements Remote Command Execution on Ruby on Rails applications. Prerequisite is knowledge of the "secrettoken" Rails 2/3 or "secretkeybase" Rails 4. The values for those can be usually found in the file "RAILSROOT/config/initializers/secrettoken.rb". The module achieves RCE by...

MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation

Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. This issue affects Windows Vista, 7, 8, Server 2008, Server 2008...

Oracle MySQL for Microsoft Windows FILE Privilege Abuse

This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers. This module abuses the FILE privilege to write a payload to Microsoft's All Users Start Up directory which will execute every time a user logs in. The default All Users Start Up...

Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within...

Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment

This module exploits a mass assignment vulnerability in the 'create' action of 'users' controller of Foreman and Red Hat OpenStack/Satellite Foreman 1.2.0-RC1 and earlier by creating an arbitrary administrator account. For this exploit to work, your account must have 'createusers' permission e.g....

SAP Host Agent Information Disclosure

This module attempts to retrieve Computer and OS info from Host Agent through the SAP HostControl service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/document' class MetasploitModule 'SAP Host Agen...

Apple Quicktime 7 Invalid Atom Length Buffer Overflow

This module exploits a vulnerability found in Apple QuickTime. The flaw is triggered when QuickTime fails to properly handle the data length for certain atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer overflow by loading a specially crafted .mov file, and allows...

VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload

This module exploits a code execution flaw in VMware vCenter Chargeback Manager, where the ImageUploadServlet servlet allows unauthenticated file upload. The files are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed. The module has been tested successfully on VMware...

HP Managed Printing Administration jobAcct Remote Command Execution

This module exploits an arbitrary file upload vulnerability on HP Managed Printing Administration 2.6.3 and prior versions. The vulnerability exists in the UploadFiles function from the MPAUploader.Uploader.1 control, loaded and used by the server. The function can be abused via directory travers...

Apple Quicktime 7 Invalid Atom Length Buffer Overflow

This module exploits a vulnerability found in Apple Quicktime. The flaw is triggered when Quicktime fails to properly handle the data length for certain atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer overflow by loading a specially crafted .mov file, and allows...

Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection

This module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite Foreman 1.2.0-RC1 and earlier. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Gather Enumerate Active Domain Users

This module will enumerate computers included in the primary Domain and attempt to list all locations the targeted user has sessions on. If the HOST option is specified the module will target only that host. If the HOST is specified and USER is set to nil, all users logged into that host will be...

SPIP connect Parameter PHP Injection

This module exploits a PHP code injection in SPIP. The vulnerability exists in the connect parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. Branches 2.0, 2.1 and 3 are concerned. Vulnerable versions are 'SPIP connect Parameter PHP Injection',...

D-Link Devices UPnP SOAP Command Execution

Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on DIR-865 and DIR-645 devices. This module requires Metasploit:...

Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy

Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over HTTP using SSL with custom proxy support This module requires Metasploit: https://metasploit.com/download Current source:...

Corel PDF Fusion Stack Buffer Overflow

This module exploits a stack-based buffer overflow vulnerability in version 1.11 of Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry names. In order for the payload to be executed, an attacker must convince the target user to open a specially crafted XPS file...

Apache Rave User Information Disclosure

This module exploits an information disclosure in Apache Rave 0.20 and prior. The vulnerability exists in the RPC API, which allows any authenticated user to disclose information about all the users, including their password hashes. In order to authenticate, the user can provide his own...

ERS Viewer 2013 ERS File Handling Buffer Overflow

This module exploits a buffer overflow vulnerability found in ERS Viewer 2013. The vulnerability exists in the module ermapperu.dll, where the function rfreporterror handles user provided data in an insecure way. It results in arbitrary code execution under the context of the user viewing a...

MediaCoder .M3U Buffer Overflow

This module exploits a buffer overflow in MediaCoder 0.8.22. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution under the context of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder runs with DEP. This module has been tested successfully on...

Windows Manage Reflective DLL Injection Module

This module will inject a specified reflective DLL into the memory of a process, new or existing. If arguments are specified, they are passed to the DllMain entry point as the lpvReserved 3rd parameter. To read output from the injected process, set PID to zero and WAIT to non-zero. Make sure the...

InstantCMS 1.6 Remote PHP Code Execution

This module exploits an arbitrary PHP command execution vulnerability because of a dangerous use of eval in InstantCMS in versions 1.6 and prior. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

ABBS Audio Media Player .LST Buffer Overflow

This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges of the user running the application. This module has been tested successfully on ABBS Audio Media Player 3.1...

Carberp Web Panel C2 Backdoor Remote PHP Code Execution

This module exploits backdoors that can be found all over the leaked source code of the Carberp botnet C2 Web Panel. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Carberp Web Panel C2 Backdoo...

IPMI 2.0 Cipher Zero Authentication Bypass Scanner

This module identifies IPMI 2.0-compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

Windows Manage Trojanize Support Account

This module enables alternative access to servers and workstations by modifying the support account's properties. It will enable the account for remote access as the administrator user while taking advantage of some weird behavior in lusrmgr.msc. It will check if sufficient privileges are availab...

SMTP Open Relay Detection

This module tests if an SMTP server will accept via a code 250 an e-mail by using a variation of testing methods. Some of the extended methods will try to abuse configuration or mailserver flaws. This module requires Metasploit: https://metasploit.com/download Current source:...

Novell Client 2 SP3 nicm.sys Local Privilege Escalation

This module exploits a flaw in the nicm.sys driver to execute arbitrary code in kernel space. The vulnerability occurs while handling ioctl requests with code 0x143B6B, where a user provided pointer is used as function pointer. The module has been tested successfully on Windows 7 SP1 with Novell...

IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval

This module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUTFILE option and then cracked using hmacsha1crack.rb in the tools subdirectory as well hashcat cpu 0.46 or newer using...