6843 matches found
Ruby on Rails JSON Processor YAML Deserialization Scanner
This module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the JSON request processor. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ruby...
Ruby on Rails Devise Authentication Password Reset
The Devise authentication gem for Ruby on Rails is vulnerable to a password reset exploit leveraging type confusion. By submitting XML to rails, we can influence the type used for the resetpasswordtoken parameter. This allows for resetting passwords of arbitrary accounts, knowing only the...
Windows Manage User Level Persistent Payload Installer
Creates a scheduled task that will run using service-for-user S4U. This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job'...
Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution
This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll ActiveX. Several methods in the GWCalServer control use user provided data as a pointer, which allows to read arbitrary memory and execute arbitrary code. This module has been tested successfully with GroupWise Client...
Titan FTP Administrative Password Disclosure
On Titan FTP servers prior to version 9.14.1628, an attacker can retrieve the username and password for the administrative XML-RPC interface, which listens on TCP Port 31001 by default, by sending an XML request containing bogus authentication information. After sending this request, the server...
Windows Persistent Registry Startup Payload Installer
This module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in "CurrentVersion\Run" depending on privilege and selected method. This module requires Metasploit: https://metasploit.com/download Current source:...
Novell Groupwise Agents HTTP Directory Traversal
This module exploits a directory traversal vulnerability in Novell Groupwise. The vulnerability exists in the web interface of both the Post Office and the MTA agents. This module has been tested successfully on Novell Groupwise 8.02 HP2 over Windows 2003 SP2. This module requires Metasploit:...
Simple Web Server 2.3-RC1 Directory Traversal
This module exploits a directory traversal vulnerability found in Simple Web Server 2.3-RC1. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Simple Web Server 2.3-RC1 Directory Traversal',...
VMWare OVF Tools Format String Vulnerability
This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. This module requires Metasploit:...
VMWare OVF Tools Format String Vulnerability
This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. This module requires Metasploit:...
D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
This module exploits an OS Command Injection vulnerability in some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in command.php, which is accessible without authentication. This module has been tested with the versions DIR-600 2.14b01 and below, DIR-300 rev...
Portable UPnP SDK unique_service_name() Remote Code Execution
This module exploits a buffer overflow in the uniqueservicename function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this...
Unix Command Shell, Reverse TCP SSL (via Ruby)
Connect back and create a command shell via Ruby, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 185 include Msf::Payload::Single include Msf::Sessions::CommandShellOptio...
Unix Command Shell, Double Reverse TCP SSL (telnet)
Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 136 include Msf::Payload::Single...
Command Shell, Reverse TCP SSL (via python)
Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic...
Unix Command Shell, Reverse TCP SSL (telnet)
Creates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the '-z' option included on some systems to encrypt using SSL. This module requires Metasploit: https://metasploit.com/download Current source:...
Unix Command Shell, Reverse TCP SSL (via perl)
Creates an interactive shell via perl, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 173 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Ruby Command Shell, Reverse TCP SSL
Connect back and create a command shell via Ruby, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 444 include Msf::Payload::Single include Msf::Payload::Ruby include...
Unix Command Shell, Reverse TCP SSL (via php)
Creates an interactive shell via php, uses SSL This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 279 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions def...
Unix Command Shell, Reverse TCP SSL (via python)
Creates an interactive shell via python, uses SSL, encodes with base64 by design. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::Single include...
Unix Command Shell, Double Reverse TCP SSL (openssl)
Creates an interactive shell through two inbound connections This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = 182 include Msf::Payload::Single include...
MS12-020 Microsoft Remote Desktop Checker
This module checks a range of hosts for the MS12-020 vulnerability. This does not cause a DoS on the target. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'MS12-020 Microsoft Remote Desktop...
Microsoft Word UNC Path Injector
This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not wor...
Microsoft Windows Deployment Services Unattend Gatherer
This module will search remote file shares for unattended installation files that may contain domain credentials. This is often used after discovering domain credentials with the auxiliary/scanner/dcerpc/windowsdeploymentservices module or in cases where you already have domain credentials. This...
Microsoft Windows Deployment Services Unattend Retrieval
This module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86. This module requires Metasploit: https://metasploit.com/download Current source:...
DataLife Engine preview.php PHP Code Injection
This module exploits a PHP code injection vulnerability DataLife Engine 9.7. The vulnerability exists in preview.php, due to an insecure usage of pregreplace with the e modifier, which allows to inject arbitrary php code, when there is a template installed which contains a catlist or not-catlist...
Apache Tomcat Manager Application Deployer Authenticated Code Execution
This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is no...
Multiple DVR Manufacturers Configuration Disclosure
This module takes advantage of an authentication bypass vulnerability at the web interface of multiple manufacturers DVR systems, which allows to retrieve the device configuration. This module requires Metasploit: https://metasploit.com/download Current source:...
Windows Gather Credential Cache Dump
This module uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins. This module requires Metasploit: https://metasploit.com/download Current source:...
Ruby on Rails JSON Processor YAML Deserialization Code Execution
This module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application...
Linux Gather PPTP VPN chap-secrets Credentials
This module collects PPTP VPN information such as client, server, password, and IP from your target server's chap-secrets file. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Linux Gather PPTP...
Joomla Version Scanner
This module scans a Joomla install for information about the underlying operating system and Joomla version. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Joomla Version Scanner', 'Descriptio...
Joomla Plugins Scanner
This module scans a Joomla install for plugins and potential vulnerabilities. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Joomla Plugins Scanner', 'Description' = %q This module scans a...
Joomla Page Scanner
This module scans a Joomla install for common pages. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Joomla Page Scanner', 'Description' = %q This module scans a Joomla install for common pages...
Titan FTP XCRC Directory Traversal Information Disclosure
This module exploits a directory traversal vulnerability in the XCRC command implemented in versions of Titan FTP up to and including 8.10.1125. By making sending multiple XCRC command, it is possible to disclose the contents of any file on the drive with a simple CRC "brute force" attack. Althou...
Windows Manage Memory Payload Injection
This module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead. This module requires Metasploit: https://metasploit.com/download...
Ray Sharp DVR Password Retriever
This module takes advantage of a protocol design issue with the Ray Sharp based DVR systems. It is possible to retrieve the username and password through the TCP service running on port 9000. Other brands using this platform and exposing the same issue may include Swann, Lorex, Night Owl, Zmodo,...
Novell eDirectory 8 Buffer Overflow
This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The vulnerability exists in the ndsd daemon, specifically in the NCP service, while parsing a specially crafted Keyed Object Login request. It allows remote code execution with root privileges. This module requires...
ZoneMinder Video Server packageControl Command Execution
This module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the 'includes/actions.php' file...
Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution
This module can be used to execute a payload on MoveableType MT that exposes a CGI script, mt-upgrade.cgi usually at /mt/mt-upgrade.cgi, that is used during installation and updating of the platform. The vulnerability arises due to the following properties: 1. This script may be invoked remotely...
SonicWALL GMS 6 Arbitrary File Upload
This module exploits a code execution flaw in SonicWALL GMS. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the Web Administration interface allows to abuse the "appliance" application and upload an arbitrary payload embedded in a JSP. The module has be...
Linksys WRT54GL Remote Command Execution
Some Linksys Routers are vulnerable to OS Command injection. You will need credentials to the web interface to access the vulnerable part of the application. Default credentials are always a good starting point. admin/admin or admin and blank password could be a first try. Note: This is a blind O...
MYSQL File/Directory Enumerator
Enumerate files and directories using the MySQL loadfile feature, for more information see the URL in the references. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'yaml' class MetasploitModule 'MYSQL...
PHP-Charts v1.0 PHP Code Execution Vulnerability
This module exploits a PHP code execution vulnerability in php-Charts version 1.0 which could be abused to allow users to execute arbitrary PHP code under the context of the webserver user. The 'url.php' script calls eval with user controlled data from any HTTP GET parameter name. This module...
Polycom Command Shell Authorization Bypass
The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prom...
Java Applet AverageRangeStatisticImpl Remote Code Execution
This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier. This module requires Metasploit:...
Java Applet Method Handle Remote Code Execution
This module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...
Multi Manage Record Microphone
This module will enable and record your target's microphone. For non-Windows targets, please use Java meterpreter to be able to use this feature. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...
Windows Manage Webcam
This module will allow the user to detect installed webcams with the LIST action or take a snapshot with the SNAPSHOT action. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Manage...
Windows Gather Razer Synapse Password Extraction
This module will enumerate passwords stored by the Razer Synapse client. The encryption key and iv is publicly known. This module will not only extract encrypted password but will also decrypt password using public key. Affects versions earlier than 1.7.15. This module requires Metasploit:...