6843 matches found
CouchDB Enum Utility
This module enumerates databases on CouchDB using the REST API without authentication by default. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CouchDB Enum Utility', 'Description' = %q This...
CouchDB Login Utility
This module tests CouchDB logins on a range of machines and report successful logins. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CouchDB Login Utility', 'Description' = % This module tests...
ERS Viewer 2011 ERS File Handling Buffer Overflow
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 version 11.04. The vulnerability exists in the module ermapperu.dll where the function ERMconverttocorrectwebpath handles user provided data in an insecure way. It results in arbitrary code execution under the context o...
SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution
This module abuses the SAP NetWeaver SXPGCOMMANDEXECUTE function, on the SAP SOAP RFC Service, to execute remote commands. This module needs SAP credentials with privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested successfully on Windows 2008 64-bit and Linux 64-bi...
SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution
This module abuses the SAP NetWeaver SXPGCALLSYSTEM function, on the SAP SOAP RFC Service, to execute remote commands. This module needs SAP credentials with privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested successfully on Windows 2008 64-bit and Linux 64-bit...
SAP SOAP RFC EPS_GET_DIRECTORY_LISTING Directories Information Disclosure
This module abuses the SAP NetWeaver EPSGETDIRECTORYLISTING function, on the SAP SOAP RFC Service, to check for remote directory existence and get the number of entries on it. The module can also be used to capture SMB hashes by using a fake SMB share as DIR. This module requires Metasploit:...
Linksys WRT160nv2 apply.cgi Remote Command Injection
Some Linksys Routers are vulnerable to an authenticated OS command injection on their web interface where default credentials are admin/admin or admin/password. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload...
D-Link DIR615h OS Command Injection
Some D-Link Routers are vulnerable to an authenticated OS command injection on their web interface, where default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload...
D-Link DSL 320B Password Extractor
This module exploits an authentication bypass vulnerability in D-Link DSL 320B 'D-Link DSL 320B Password Extractor', 'Description' = %q This module exploits an authentication bypass vulnerability in D-Link DSL 320B 'EDB', '25252' , 'OSVDB', '93013' , 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ...
SAP SOAP EPS_DELETE_FILE File Deletion
This module abuses the SAP NetWeaver EPSDELETEFILE function, on the SAP SOAP RFC Service, to delete arbitrary files on the remote file system. The module can also be used to capture SMB hashes by using a fake SMB share as DIRNAME. This module requires Metasploit: https://metasploit.com/download...
MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code...
AudioCoder .M3U Buffer Overflow
This module exploits a buffer overflow in AudioCoder 0.8.18. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution with the privileges of the user running AudioCoder. This module has been tested successfully on AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1...
Windows Single Sign On Credential Collector (Mimikatz)
This module will collect cleartext Single Sign On credentials from the Local Security Authority using the Kiwi Mimikatz extension. Blank passwords will not be stored in the database. This module requires Metasploit: https://metasploit.com/download Current source:...
SAP SOAP RFC PFL_CHECK_OS_FILE_EXISTENCE File Existence Check
This module abuses the SAP NetWeaver PFLCHECKOSFILEEXISTENCE function, on the SAP SOAP RFC Service, to check for files existence on the remote file system. The module can also be used to capture SMB hashes by using a fake SMB share as FILEPATH. This module requires Metasploit:...
SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing
This module exploits the SAP NetWeaver RZLREADDIRLOCAL function, on the SAP SOAP RFC Service, to enumerate directory contents. It returns only the first 32 characters of the filename since they are truncated. The module can also be used to capture SMB hashes by using a fake SMB share as DIR. This...
Memcached Remote Denial of Service
This module sends a specially-crafted packet to cause a segmentation fault in memcached v1.4.15 or earlier versions. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Memcached Remote Denial of...
phpMyAdmin Authenticated Remote Code Execution via preg_replace()
This module exploits a PREGREPLACEEVAL vulnerability in phpMyAdmin's replaceprefixtbl within libraries/multsubmits.inc.php via dbsettings.php This affects versions 3.5.x 5.4.6 are not vulnerable. This module requires Metasploit: https://metasploit.com/download Current source:...
Auxilliary Parser Windows Unattend Passwords
This module parses Unattend files in the target directory. See also: post/windows/gather/enumunattend This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Auxilliary Parser Windows Unattend...
Mac OS X Safari .webarchive File Format UXSS
Generates a .webarchive file for Mac OS X Safari that will attempt to inject cross-domain Javascript UXSS, silently install a browser extension, collect user information, steal the cookie database, and steal arbitrary local files. When opened on the target machine the webarchive file must not hav...
GroundWork monarch_scan.cgi OS Command Injection
This module exploits a vulnerability found in GroundWork 6.7.0. This software is used for network, application and cloud monitoring. The vulnerability exists in the monarchscan.cgi where user controlled input is used in the perl qx function. This allows any remote authenticated attacker, regardle...
SAP ConfigServlet Remote Code Execution
This module allows remote code execution via operating system commands through the SAP ConfigServlet without any authentication. This module has been tested successfully with SAP NetWeaver 7.00 and 7.01 on Windows Server 2008 R2. This module requires Metasploit: https://metasploit.com/download...
Java Applet Reflection Type Confusion Remote Code Execution
This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially craft...
MediaWiki SVG XML Entity Expansion Remote File Access
This module attempts to read a remote file from the server using a vulnerability in the way MediaWiki handles SVG files. The vulnerability occurs while trying to expand external entities with the SYSTEM identifier. In order to work MediaWiki must be configured to accept upload of SVG files. If...
SAP ConfigServlet OS Command Execution
This module allows execution of operating system commands through the SAP ConfigServlet without any authentication. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SAP ConfigServlet OS Command...
Android Meterpreter, Android Reverse TCP Stager
Run a meterpreter server in Android. Connect back stager This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include Msf::Payload::Android include...
Command Shell, Android Reverse TCP Stager
Spawn a piped command shell sh. Connect back stager This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Stager include Msf::Payload::Android include...
Add/Sub Encoder
Encodes payload with add or sub instructions. This idea came from offensive-security muts' hp nnm 7.5.1 exploit. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Add/Sub Encoder', 'Description' ...
D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
Some D-Link Routers are vulnerable to OS Command injection in the web interface. On DIR-645 versions prior 1.03 authentication isn't needed to exploit it. On version 1.03 authentication is needed in order to trigger the vulnerability, which has been fixed definitely on version 1.04. Other D-Link...
D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility
This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-300 Hardware revision B, D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645 Hardware revision A devices. It is possible that this module...
Linksys WRT54GL apply.cgi Command Execution
Some Linksys Routers are vulnerable to an authenticated OS command injection in the Web Interface. Default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping...
PostgreSQL Database Name Command Line Flag Injection
This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that are vulnerable to command-line flag injection through CVE-2013-1899. This can lead to denial of service, privilege escalation, or even arbitrary code execution. This module requires Metasploit: https://metasploit.com/download...
Netgear DGN2200B pppoe.cgi Remote Command Execution
Some Netgear Routers are vulnerable to an authenticated OS command injection on their web interface. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd...
HP Intelligent Management IctDownloadServlet Directory Traversal
This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the IctDownloadServlet, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over...
HP Intelligent Management ReportImgServlt Directory Traversal
This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the ReportImgServlt, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windo...
HP Intelligent Management FaultDownloadServlet Directory Traversal
This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the FaultDownloadServlet, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over...
Netgear DGN1000B setup.cgi Remote Command Execution
Some Netgear Routers are vulnerable to authenticated OS Command injection. The vulnerability exists in the web interface, specifically in the setup.cgi component, when handling the TimeToLive parameter. Default credentials are always a good starting point, admin/admin or admin/password could be a...
Linksys E1500/E2500 apply.cgi Remote Command Injection
Some Linksys Routers are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping...
HP System Management Homepage Local Privilege Escalation
Versions of HP System Management Homepage 'HP System Management Homepage Local Privilege Escalation', 'Description' = %q Versions of HP System Management Homepage MSFLICENSE, 'Author' = 'agix' @agixid Vulnerability discovery and Metasploit module , 'Platform' = 'linux' , 'Arch' = ARCHX86 ,...
Novell ZENworks Configuration Management Remote Execution
This module exploits a code execution flaw in Novell ZENworks Configuration Management 10 SP3 and 11 SP2. The vulnerability exists in the ZENworks Control Center application, allowing an unauthenticated attacker to upload a malicious file outside of the TEMP directory and then make a second reque...
Windows Gather Deleted Files Enumeration and Recovering
This module lists and attempts to recover deleted files from NTFS file systems. Use the FILES option to guide recovery. Leave this option empty to enumerate deleted files in the DRIVE. Set FILES to an extension e.g., "pdf" to recover deleted files with that extension, or set FILES to a comma...
Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution
This module allows remote command execution on the PHP IRC bot Ra1NX by using the public call feature in private message to covertly bypass the authentication system. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
HP System Management Anonymous Access Code Execution
This module exploits an anonymous remote code execution on HP System Management 7.1.1 and earlier. The vulnerability exists when handling the iprange parameter on a request against /proxy/DataValidation. In order to work HP System Management must be configured with Anonymous access enabled. This...
MongoDB nativeHelper.apply Remote Code Execution
This module exploits the nativeHelper feature from spiderMonkey which allows remote code execution by calling it with specially crafted arguments. This module has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze. This module requires Metasploit:...
STUNSHELL Web Shell Remote PHP Code Execution
This module exploits unauthenticated versions of the "STUNSHELL" web shell. This module works when safe mode is enabled on the web server. This shell is widely used in automated RFI payloads. This module requires Metasploit: https://metasploit.com/download Current source:...
STUNSHELL Web Shell Remote Code Execution
This module exploits unauthenticated versions of the "STUNSHELL" web shell. This module works when safe mode is disabled on the web server. This shell is widely used in automated RFI payloads. This module requires Metasploit: https://metasploit.com/download Current source:...
v0pCr3w Web Shell Remote Code Execution
This module exploits a lack of authentication in the shell developed by v0pCr3w and is widely reused in automated RFI payloads. This module takes advantage of the shell's various methods to execute commands. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Gather Microsoft Office Word UNC Path Injector
This module modifies a remote .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used. This module requires Metasploit:...
D-Link DIR-615H HTTP Login Utility
This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-615 Hardware revision H devices. It is possible that this module also works with other models. This module requires Metasploit: https://metasploit.com/download Current...
Java CMM Remote Code Execution
This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP...
Joomla Component JCE File Upload Remote Code Execution
This module exploits a vulnerability in the JCE component for Joomla!, which could allow an unauthenticated remote attacker to upload arbitrary files, caused by the fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP request, a remote attacker could exploit this...