6843 matches found
Linksys E1500 Directory Traversal Vulnerability
This module exploits a directory traversal vulnerability which is present in different Linksys home routers, like the E1500. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linksys E1500...
D-Link DIR-300A / DIR-320 / DIR-615D HTTP Login Utility
This module attempts to authenticate to different D-Link HTTP management services. It has been tested on D-Link DIR-300 Hardware revision A, D-Link DIR-615 Hardware revision D and D-Link DIR-320 devices. It is possible that this module also works with other models. This module requires Metasploit...
HP Intelligent Management Center Arbitrary File Upload
This module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated file uploads and handling zip contents in an insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file...
D-Link DIR 645 Password Extractor
This module exploits an authentication bypass vulnerability in DIR 645 'D-Link DIR 645 Password Extractor', 'Description' = %q This module exploits an authentication bypass vulnerability in DIR 645 'OSVDB', '90733' , 'BID', '58231' , 'PACKETSTORM', '120591' , 'Author' = 'Roberto Paleari ',...
Netgear SPH200D Directory Traversal Vulnerability
This module exploits a directory traversal vulnerability which is present in Netgear SPH200D Skype telephone. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Netgear SPH200D Directory Traversal...
TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability
This module tests whether a directory traversal vulnerability is present in versions of TP-Link Access Point 3.12.16 Build 120228 Rel.37317n. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
ActFax 5.01 RAW Server Buffer Overflow
This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW Server can be used to transfer fax messages without any underlying protocols. To note significant fields in the fax being transferred, like the fax number or the recipient, ActFax data fields can be used. This module...
Apache Struts ParametersInterceptor Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 'Apache Struts ParametersInterceptor Remote Code Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions 'Meder Kydyraliev', Vulnerability Discove...
Linksys E1500/E2500 Remote Command Execution
Some Linksys Routers are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command. A ping command against a controlled syste...
Nagios Remote Plugin Executor Arbitrary Command Execution
The Nagios Remote Plugin Executor NRPE is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dontblamenrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NR...
Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service
This module sends a specially-crafted SSH Key Exchange causing the service to crash. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service'...
Cool PDF Image Stream Buffer Overflow
This module exploits a stack buffer overflow in Cool PDF Reader prior to version 3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that contains a specially crafted image stream. This module has been tested successfully on Cool PDF 3.0.2.256 over Windows XP SP3 and Windo...
Linux Manage Download and Execute
This module downloads and runs a file with bash. It first tries to uses curl as its HTTP client and then wget if it's not found. Bash found in the PATH is used to execute the file. This module requires Metasploit: https://metasploit.com/download Current source:...
Dopewars Denial of Service
The jet command in Dopewars 1.5.12 is vulnerable to a segmentation fault due to a lack of input validation. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Dopewars Denial of Service',...
PsExec NTDS.dit And SYSTEM Hive Download Utility
This module authenticates to an Active Directory Domain Controller and creates a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM hive copy can be used in combination with other tools for...
Sami FTP Server LIST Command Buffer Overflow
This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1. The vulnerability exists in the processing of LIST commands. In order to trigger the vulnerability, the "Log" tab must be viewed in the Sami FTP Server managing application, in the target machine. On the other hand, the...
KingView Log File Parsing Buffer Overflow
This module exploits a vulnerability found in KingView "KingView Log File Parsing Buffer Overflow", 'Description' = %q This module exploits a vulnerability found in KingView MSFLICENSE, 'Author' = 'Lucas Apa', Vulnerability discovery 'Carlos Mario Penagos Hollman', Vulnerability discovery...
Axigen Arbitrary File Read and Delete
This module exploits a directory traversal vulnerability in the WebAdmin interface of Axigen, which allows an authenticated user to read and delete arbitrary files with SYSTEM privileges. The vulnerability is known to work on Windows platforms. This module has been tested successfully on Axigen...
Honeywell HSC Remote Deployer ActiveX Remote Code Execution
This module exploits a vulnerability found in the Honeywell HSC Remote Deployer ActiveX. This control can be abused by using the LaunchInstaller function to execute an arbitrary HTA from a remote location. This module has been tested successfully with the HSC Remote Deployer ActiveX installed wit...
Unix Command Shell, Bind TCP (via netcat -e)
Listen for a connection and spawn a command shell via netcat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 24 include Msf::Payload::Single include...
Unix Command Shell, Reverse TCP (via netcat -e)
Creates an interactive shell via netcat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 34 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def initializeinf...
Unix Command Shell, Bind TCP (via netcat -e) IPv6
Listen for a connection and spawn a command shell via netcat This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 25 include Msf::Payload::Single include...
PsExec via Current User Token
This module uploads an executable file to the victim system, creates a share containing that executable, creates a remote service on each target system using a UNC path to that file, and finally starts the services. The result is similar to psexec but with the added benefit of using the session's...
Mutiny Remote Command Execution
This module exploits an authenticated command injection vulnerability in the Mutiny appliance. Versions prior to 4.5-1.12 are vulnerable. In order to exploit the vulnerability the mutiny user must have access to the admin interface. The injected commands are executed with root privileges. This...
Firebird Relational Database CNCT Group Number Buffer Overflow
This module exploits a vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability...
Discover External IP via Ifconfig.me
This module checks for the public source IP address of the current route to the RHOST by querying the public web application at ifconfig.me. It should be noted this module will register activity on ifconfig.me, which is not affiliated with Metasploit. This module requires Metasploit:...
SCADA 3S CoDeSys Gateway Server Directory Traversal
This module exploits a directory traversal vulnerability that allows arbitrary file creation, which can be used to execute a mof file in order to gain remote execution within the SCADA system. This module requires Metasploit: https://metasploit.com/download Current source:...
Setuid Tunnelblick Privilege Escalation
This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient validation of path names allows execution of arbitrary shell scripts as root. This module has been tested successfully on Tunnelblick 3.2.8 build...
Viscosity setuid-set ViscosityHelper Privilege Escalation
This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The vulnerability exists in the setuid ViscosityHelper, where an insufficient validation of path names allows execution of arbitrary python code as root. This module has been tested successfully on Viscosity 1.4.1 over Mac OS X...
SAP ICF /sap/public/info Service Sensitive Information Gathering
This module uses the /sap/public/info service within SAP Internet Communication Framework ICF to obtain the operating system version, SAP version, IP address and other information. This module requires Metasploit: https://metasploit.com/download Current source:...
VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
Inject a VNC Dll via a reflective loader staged. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 438 include Msf::Payload::Stager...
Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
Uploads an executable and runs it staged. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 438 include Msf::Payload::Stager include...
Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
Inject a custom DLL into the exploited process. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 438 include Msf::Payload::Stager...
Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
Inject a DLL via a reflective loader. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 438 include Msf::Payload::Stager include...
Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
Spawn a piped command shell staged. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 438 include Msf::Payload::Stager include...
Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
Inject the Meterpreter server DLL via the Reflective Dll Injection payload staged. Requires Windows XP SP2 or newer. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
Inject the meterpreter server DLL staged. Connect back to the attacker -- coding: binary -- This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 438 include Msf::Payload::Stager include...
OpenSSL TLS 1.1 and 1.2 AES-NI DoS
The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the length of an encrypted message when used with a TLS version 1.1 or above. This leads to an integer underflow which can cause a DoS. The vulnerable function aesnicbchmacsha1cipher is only included in the 64-bit versions of...
PolarBear CMS PHP File Upload Vulnerability
This module exploits a file upload vulnerability found in PolarBear CMS By abusing the upload.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. This module requires Metasploit: https://metasploit.com/download Curren...
Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability
This module exploits a vulnerability in Kordil EDMS v2.2.60rc3. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the '/kordiledms/userpictures/' directory. This module requires Metasploit: https://metasploit.com/download Current source:...
Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability
This module exploits a file upload vulnerability in Glossword versions 1.8.8 to 1.8.12 when run as a standalone application. This application has an upload feature that allows an authenticated user with administrator roles to upload arbitrary files to the 'gwtemp/a/' directory. This module requir...
XBMC Web Server Directory Traversal
This module exploits a directory traversal bug in XBMC 11, up until the 2012-11-04 nightly build. The module can only be used to retrieve files. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free
This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed. This module requires Metasploit: https://metasploit.com/download Current source:...
Java Applet JMX Remote Code Execution
This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning t...
WinRM Script Exec Remote Code Execution
This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2 and above and VBS CmdStager. The module will check if Powershell is available, and if so uses that method. Otherwise it falls back to the VBS...
BigAnt Server DUPF Command Arbitrary File Upload
This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7. A lack of authentication allows to make unauthenticated file uploads through a DUPF command. Additionally the filename option in the same command can be used to launch a directory traversal attack and achieve arbitrar...
BigAnt Server 2 SCH And DUPF Buffer Overflow
This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The vulnerability is due to the dangerous usage of strcpy while handling errors. This module uses a combination of SCH and DUPF request to trigger the vulnerability, and has been tested successfully against version 2.97 SP7 over...
OpenPLI Webif Arbitrary Command Execution
Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means that you will not see any output of your command. A ping command can be used for testing the vulnerability. This module has been tested in a...
OpenEMR PHP File Upload Vulnerability
This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the ofcuploadimage.php file from the openflashchart library, a malicious user can upload a file to the tmp-upload-images directory without any authentication, which results in arbitrary code execution. The module has been test...
Foxit Reader Plugin URL Processing Buffer Overflow
This module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit...