6843 matches found
FreeBSD 9 Address Space Manipulation Privilege Escalation
This module exploits a vulnerability that can be used to modify portions of a process's address space, which may lead to privilege escalation. Systems such as FreeBSD 9.0 and 9.1 are known to be vulnerable. This module requires Metasploit: https://metasploit.com/download Current source:...
Java Applet ProviderSkeleton Insecure Invoke Method
This module abuses the insecure invoke method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier. This module requires Metasploit: https://metasploit.com/download Current source:...
SAPRouter Port Scanner
This module allows for mapping ACLs and identify open/closed ports accessible on hosts through a saprouter. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAPRouter Port Scanner', 'Description...
ZPanel zsudo Local Privilege Escalation Exploit
This module abuses the zsudo binary, installed with zpanel, to escalate privileges. In order to work, a session with access to zsudo on the sudoers configuration is needed. This module is useful for post exploitation of ZPanel vulnerabilities, where typically web server privileges are acquired, a...
IPMI Information Discovery
Discover host information through IPMI Channel Auth probes This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IPMI Information Discovery', 'Description' = 'Discover host information through IPMI...
ZPanel 10.0.0.2 htpasswd Module Username Command Execution
This module exploits a vulnerability found in ZPanel's htpasswd module. When creating .htaccess using the htpasswd module, the username field can be used to inject system commands, which is passed on to a system function for executing the system's htpasswd command. Please note: In order to use th...
Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation
This module exploits a flaw in the nwfs.sys driver to overwrite data in kernel space. The corruption occurs while handling ioctl requests with code 0x1438BB, where a 0x00000009 dword is written to an arbitrary address. An entry within the HalDispatchTable is overwritten in order to execute...
Unix Command Shell, Bind TCP (via Zsh)
Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module...
Unix Command Shell, Reverse TCP (via Zsh)
Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule...
LibrettoCMS File Manager Arbitary File Upload Vulnerability
This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and possibly prior. Attackers can bypass the file extension check and abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution. This module...
Havalite CMS Arbitary File Upload Vulnerability
This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution. This module requires Metasploit:...
MoinMoin twikidraw Action Traversal File Upload
This module exploits a vulnerability in MoinMoin 1.9.5. The vulnerability exists on the manage of the twikidraw actions, where a traversal path can be used in order to upload arbitrary files. Exploitation is achieved on Apached/modwsgi configurations by overwriting moin.wsgi, which allows to...
Canon Wireless Printer Denial Of Service
The HTTP management interface on several models of Canon Wireless printers allows for a Denial of Service DoS condition via a crafted HTTP request. Note: if this module is successful, the device can only be recovered with a physical power cycle. This module requires Metasploit:...
InfoVista VistaPortal Application Bruteforce Login Utility
This module attempts to scan for InfoVista VistaPortal Web Application, finds its version and performs login brute force to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Monkey HTTPD Header Parsing Denial of Service (DoS)
This module causes improper header parsing that leads to a segmentation fault due to a specially crafted HTTP request. Affects version 'Monkey HTTPD Header Parsing Denial of Service DoS', 'Description' = %q This module causes improper header parsing that leads to a segmentation fault due to a...
Sun Java Web Start Double Quote Injection
This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the...
MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. The exploit has been built and tested specifically against Windows 7 SP1 with Internet Explorer 8. It uses eith...
Exim and Dovecot Insecure Configuration Command Injection
This module exploits a command injection vulnerability against Dovecot with Exim using the "useshell" option. It uses the sender's address to inject arbitrary commands, since this is one of the user-controlled variables. It has been successfully tested on Debian Squeeze using the default Exim4 wi...
Java Applet Driver Manager Privileged toString() Remote Code Execution
This module abuses the java.sql.DriverManager class where the toString method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file...
RFCode Reader Web Interface Login / Bruteforce Utility
This module simply attempts to login to a RFCode Reader web interface. Please note that by default there is no authentication. In such a case, password brute force will not be performed. If there is authentication configured, the module will attempt to find valid login credentials and capture...
SevOne Network Performance Management Application Brute Force Login Utility
This module scans for SevOne Network Performance Management System Application, finds its version, and performs login brute force to identify valid credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX component, specifically PDFIN1.ocx. When a long string of data is given to the ConnectToSynactis function, which is meant to be used for the ldCmdLine argument of a WinExec call, a strcpy routine can end up overwriting...
Novell Zenworks Mobile Device Management Admin Credentials
This module attempts to pull the administrator credentials from a vulnerable Novell Zenworks MDM server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Novell Zenworks Mobile Device Management...
Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability
This module exercises a vulnerability in Novel Zenworks Mobile Management's Mobile Device Management component which can allow unauthenticated remote code execution. Due to a flaw in the MDM.php script's input validation, remote attackers can both upload and execute code via a directory traversal...
MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present in the SOAPAction HTTP header handling. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MiniUPnPd 1.0 Stac...
MiniUPnPd 1.4 Denial of Service (DoS) Exploit
This module allows remote attackers to cause a denial of service DoS in MiniUPnP 1.0 server via a specifically crafted UDP request. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MiniUPnPd 1.4...
Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution
This module exploits a vulnerability found in the Oracle WebCenter Content CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav, where user controlled input is used to call ShellExecuteExW. This module abuses the control to execute an arbitrary HTA from a remote location. This...
Apache Struts includeParams Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 'Apache Struts includeParams Remote Code Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions 2.3.14.2. A specifically crafted request paramete...
Unix Command Shell, Bind TCP (via AWK)
Listen for a connection and spawn a command shell via GNU AWK This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 140 include Msf::Payload::Single include...
Unix Command Shell, Reverse TCP (via AWK)
Creates an interactive shell via GNU AWK This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 154 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow
This module exploits a stack buffer overflow in the dbnetserver process, which is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Canon Printer Wireless Configuration Disclosure
This module enumerates wireless credentials from Canon printers with a web interface. It has been tested on Canon models: MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920. This module requires Metasploit: https://metasploit.com/download Current source:...
IBM SPSS SamplePower C1Tab ActiveX Heap Overflow
This module exploits a heap based buffer overflow in the C1Tab ActiveX control, while handling the TabCaption property. The affected control can be found in the c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has been tested successfully on IE 6, 7 and 8 on Windows XP...
Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow
This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngxhttpparsechunked by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a sta...
AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass
This module exploits a vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing to achieve Medium Integrity...
Linux dup2 Command Shell, Reverse TCP Stager
dup2 socket in r12, then execve. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework ReverseTcp ---------- Linux reverse TCP stager. module MetasploitModule CachedSize = 260 include...
Linux Meterpreter, Reverse TCP Stager
Inject the mettle server payload staged. Connect back to the attacker This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework ReverseTcp ---------- Linux reverse TCP stager. module MetasploitModule CachedSize = 260 include...
Linux dup2 Command Shell, Bind TCP Stager
dup2 socket in r12, then execve. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework BindTcp ------- Linux bind TCP stager. module MetasploitModule CachedSize = 232 include...
Linux Meterpreter, Bind TCP Stager
Inject the mettle server payload staged. Listen for a connection This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework BindTcp ------- Linux bind TCP stager. module MetasploitModule CachedSize = 232 include...
SAP CTC Service Verb Tampering User Management
This module exploits an authentication bypass vulnerability in SAP NetWeaver CTC service. The service is vulnerable to verb tampering allowing for unauthorised OS user management. Information about resolution should be available at SAP notes 1589525 and 1624450 authentication required. This modul...
Firefox 17.0.1 Flash Privileged Code Injection
This exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the This module requires Metasploit: https://metasploit.com/download Curre...
Mutiny 5 Arbitrary File Read and Delete
This module exploits the EditDocument servlet from the frontend on the Mutiny 5 appliance. The EditDocument servlet provides file operations, such as copy and delete, which are affected by a directory traversal vulnerability. Because of this, any authenticated frontend user can read and delete...
Mutiny 5 Arbitrary File Upload
This module exploits a code execution flaw in the Mutiny 5 appliance. The EditDocument servlet provides a file upload function to authenticated users. A directory traversal vulnerability in the same functionality allows for arbitrary file upload, which results in arbitrary code execution with roo...
SAP SMB Relay Abuse
This module exploits provides several SMB Relay abuse through different SAP services and functions. The attack is done through specially crafted requests including a UNC Path which will be accessing by the SAP system while trying to process the request. In order to get the hashes the...
Kloxo Local Privilege Escalation
Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as lxsuexec and lxrestart, allow local privilege escalation to root from uid 48, Apache by default on CentOS 5.8, the operating system supported by Kloxo. This module has been tested successfully with Kloxo 6.1.12 and 6.1.6...
ColdFusion 'password.properties' Hash Extraction
This module uses a directory traversal vulnerability to extract information such as password, rdspassword, and "encrypted" properties. This module has been tested successfully on ColdFusion 9 and ColdFusion 10 auto-detect. This module requires Metasploit: https://metasploit.com/download Current...
Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
Inject the meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Tunnel communication over HTTP Windows x64 wininet This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
Inject a VNC Dll via a reflective loader Windows x64 staged. Tunnel communication over HTTP Windows x64 wininet This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 644 include...
Windows Manage Remote Point-to-Point Tunneling Protocol
This module initiates a PPTP connection to a remote machine VPN server. Once the tunnel is created we can use it to force the victim traffic to go through the server getting a man in the middle attack. Be sure to allow forwarding and masquerading on the VPN server mitm. This module requires...
SAP Management Console OSExecute Payload Execution
This module executes an arbitrary payload through the SAP Management Console SOAP Interface. A valid username and password for the SAP Management Console must be provided. This module has been tested successfully on both Windows and Linux platforms running SAP Netweaver. In order to exploit a Lin...