IBM Lotus Notes Client URL Handler Command Injection

This module exploits a command injection vulnerability in the URL handler for for the IBM Lotus Notes Client "IBM Lotus Notes Client URL Handler Command Injection", 'Description' = %q This module exploits a command injection vulnerability in the URL handler for for the IBM Lotus Notes Client...

Netwin SurgeFTP Remote Command Execution

This module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console. This module requires Metasploit: https://metasploit.com/download Curre...

Foswiki MAKETEXT Remote Command Execution

This module exploits a vulnerability in the MAKETEXT Foswiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since the input is passed to the Perl "eval" command without first being sanitized. The problem is caused by an underlying security issue in th...

TWiki MAKETEXT Remote Command Execution

This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since user input is passed to the Perl "eval" command without first being sanitized. The problem is caused by an underlying security issue in the...

InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow

This module exploits a heap overflow found in InduSoft Web Studio HttpClients::IE, :uaminver = "6.0", :uamaxver = "9.0", :javascript = true, :osname = OperatingSystems::Match::WINDOWS, :rank = NormalRanking, :classid = "3c9dff6f-5cb0-422e-9978-d6405d10718f", :method = "InternationalSeparator" def...

Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow

This module exploits a heap based buffer overflow in the CrystalPrintControl ActiveX, while handling the ServerResourceVersion property. The affected control can be found in the PrintControl.dll component as included with Crystal Reports 2008. This module has been tested successfully on IE 6, 7...

HP Data Protector DtbClsLogin Buffer Overflow

This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The overflow occurs during the login process, in the DtbClsLogin function provided by the dpwindtb.dll component, where the Utf8Cpy strcpy like function is used in an insecure way with the username. A successful exploitati...

Symantec Messaging Gateway 9.5 Log File Download Vulnerability

This module will download a file of your choice against Symantec Messaging Gateway. This is possible by exploiting a directory traversal vulnerability when handling the 'logFile' parameter, which will load an arbitrary file as an attachment. Note that authentication is required in order to...

Windows Gather Steam Client Session Collector.

This module will collect Steam session information from an account set to autologin. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Steam Client Session Collector.', 'Descriptio...

Nagios XI Network Monitor Graph Explorer Component Command Injection

This module exploits a vulnerability found in Nagios XI Network Monitor's component 'Graph Explorer'. An authenticated user can execute system commands by injecting it in several parameters, such as in visApi.php's 'host' parameter, which results in remote code execution. This module requires...

FreeFloat FTP Server Arbitrary File Upload

This module abuses multiple issues in FreeFloat: 1. No credential is actually needed to login; 2. User's default path is in C:, and this cannot be changed; 3. User can write to anywhere on the server's file system. As a result of these poor implementations, a malicious user can just log in and...

Splunk Custom App Remote Code Execution

This module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the 'script' search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid...

SVN wc.db Scanner

Scan for servers that allow access to the SVN wc.db file. Based on the work by Tim Meddin. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SVN wc.db Scanner', 'Description' = %q Scan for server...

IBM System Director Agent DLL Injection

This module abuses the "wmicimsv" service on IBM System Director Agent 5.20.3 to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM privileges. In order to accomplish remote DLL injection it uses a WebDAV service as disclosed by kingcope on December 2012. Because of this, t...

Oracle MySQL for Microsoft Windows MOF Execution

This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers due to the use of a .mof file. This may result in arbitrary code execution under the context of SYSTEM. This module requires a valid MySQL account on the target machine. This module...

Microsoft Windows Authenticated Logged In Users Enumeration

This module uses a valid administrator username and password to enumerate users currently logged in, using a similar technique than the "psexec" utility provided by SysInternals. It uses reg.exe to query the HKU base registry key. This module requires Metasploit: https://metasploit.com/download...

Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution

This module abuses the "RunScript" procedure provided by the SOAP interface of Adobe InDesign Server, to execute arbitrary vbscript Windows or applescript OSX. The exploit drops the payload on the server and must be removed manually. This module requires Metasploit: https://metasploit.com/downloa...

Tectia SSH USERAUTH Change Request Password Reset Vulnerability

This module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2MSGUSERAUTHPASSWDCHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root. This module requires Metasploit:...

Ektron 8.02 XSLT Transform Remote Code Execution

This module exploits a vulnerability in Ektron CMS 8.02 before SP5. The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary...

HTTP Strict Transport Security (HSTS) Detection

Display HTTP Strict Transport Security HSTS information about each system. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTTP Strict Transport Security HSTS Detection', 'Description' = %q...

BlazeVideo HDTV Player Pro v6.6 Filename Handling Vulnerability

This module exploits a vulnerability found in BlazeVideo HDTV Player's filename handling routine. When supplying a string of input data embedded in a .plf file, the MediaPlayerCtrl.dll component will try to extract a filename by using PathFindFileNameA, and then copies whatever the return value i...

Windows Gather FTP Explorer (FTPX) Credential Extraction

This module finds saved login credentials for the FTP Explorer FTPx FTP client for Windows. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/document' class MetasploitModule 'Windows Gather FTP Explorer...

Windows NetLM Downgrade Attack

This module changes the system LmCompatibilityLevel registry value to enable sending LM challenge hashes and initiates a SMB connection to the host specified in the SMBHOST module option. If an SMB server is listening, it will receive the NetLM hashes for the session user. This module requires...

Network Shutdown Module sort_values Credential Dumper

This module will extract user credentials from Network Shutdown Module versions 3.21 and earlier by exploiting a vulnerability found in lib/dbtools.inc, which uses unsanitized user input inside a eval call. Please note that in order to extract credentials, the vulnerable service must have at leas...

Windows Gather FileZilla FTP Server Credential Collection

This module will collect credentials from the FileZilla FTP server if installed. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/document' class MetasploitModule 'Windows Gather FileZilla FTP Server...

Network Shutdown Module (sort_values) Remote PHP Code Injection

This module exploits a vulnerability in Eaton Network Shutdown Module version 'Network Shutdown Module sortvalues Remote PHP Code Injection', 'Description' = %q This module exploits a vulnerability in Eaton Network Shutdown Module version 'h0ng10', original discovery, msf module 'sinn3r' PhpEXE s...

Apple QuickTime 7.7.2 MIME Type Buffer Overflow

This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack based overflow occurs when processing a malformed Content-Type header. The module has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3. This module requires Metasploit: https://metasploit.com/download...

Maxthon3 about:history XCS Trusted Zone Code Execution

Cross Context Scripting XCS is possible in the Maxthon about:history page. Injection in such privileged/trusted browser zone can be used to modify configuration settings and execute arbitrary commands. Please note this module only works against specific versions of XCS. Currently, we've only...

Metasploit Web Interface Login Utility

This module simply attempts to login to a Metasploit web interface using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Metasploit Web Interface Login Utility',...

Splunk Web Interface Login Utility

This module simply attempts to login to a Splunk web interface. Please note the free version of Splunk actually does not require any authentication, in that case the module will abort trying. Also, some Splunk applications still have the default credential 'admin:changeme' written on the login...

Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style...

Windows AlwaysInstallElevated MSI

This module checks the AlwaysInstallElevated registry keys which dictates if .MSI files should be installed with elevated privileges NT AUTHORITY\SYSTEM. The generated .MSI file has an embedded executable which is extracted and run by the installer. After execution the .MSI file intentionally fai...

NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution

This module abuses a lack of authorization in the NetIQ Privileged User Manager service unifid.exe to execute arbitrary perl code. The problem exists in the ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over Windows 2003 SP2, which allows to execute arbitrary code wi...

SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXEC Function Command Injection

This module makes use of the SXPGCOMMANDEXEC Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module i...

SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Execution

This module makes use of the SXPGCALLSYSTEM Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured in the SM69 transaction. This module requires Metasploit: https://metasploit.com/download Current source:...

Narcissus Image Configuration Passthru Vulnerability

This module exploits a vulnerability found in Narcissus image configuration function. This is due to the backend.php file not handling the $release parameter properly, and then passes it on to the configureimage function. In this function, the $release parameter can be used to inject system...

SAP /sap/bc/soap/rfc SOAP Service TH_SAPREL Function Information Disclosure

This module attempts to identify software, OS and DB versions through the SAP function THSAPREL using the /sap/bc/soap/rfc SOAP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is based on, inspire...

NFR Agent SRS Record Arbitrary Remote File Access

NFRAgent.exe, a component of Novell File Reporter NFR, allows remote attackers to retrieve arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and CMD 103, specifying a full pathname. This module has been tested successfully against NFR Agent 1.0.4.3 File Reporter 1.0.2 a...

NFR Agent FSFUI Record Arbitrary Remote File Access

NFRAgent.exe, a component of Novell File Reporter NFR, allows remote attackers to retrieve arbitrary text files via a directory traversal while handling requests to /FSF/CMD with an FSFUI record with UICMD 126. This module has been tested successfully against NFR Agent 1.0.4.3 File Reporter 1.0.2...

NFR Agent Heap Overflow Vulnerability

This module exploits a heap overflow in NFRAgent.exe, a component of Novell File Reporter NFR. The vulnerability occurs when handling requests of name "SRS", where NFRAgent.exe fails to generate a response in a secure way, copying user controlled data into a fixed-length buffer in the heap withou...

NFR Agent FSFUI Record File Upload RCE

NFRAgent.exe, a component of Novell File Reporter NFR, allows remote attackers to upload arbitrary files via a directory traversal while handling requests to /FSF/CMD with FSFUI records with UICMD 130. This module has been tested successfully against NFR Agent 1.0.4.3 File Reporter 1.0.2 and NFR...

OpenVAS gsad Web Interface Login Utility

This module simply attempts to login to an OpenVAS gsad interface using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenVAS gsad Web Interface Login Utility',...

OpenVAS OMP Login Utility

This module attempts to authenticate to an OpenVAS OMP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenVAS OMP Login Utility', 'Description' = 'This module attempts to authenticate...

OpenVAS OTP Login Utility

This module attempts to authenticate to an OpenVAS OTP service. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenVAS OTP Login Utility', 'Description' = 'This module attempts to authenticate...

NeXpose API Interface Login Utility

This module simply attempts to login to a NeXpose API interface using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'NeXpose API Interface Login Utility', 'Description' =...

Metasploit RPC Interface Login Utility

This module simply attempts to login to a Metasploit RPC interface using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Metasploit RPC Interface Login Utility',...

Nessus XMLRPC Interface Ping Utility

This module simply attempts to find and check for Nessus XMLRPC interface.' nessusxmlrpcping.rb This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nessus XMLRPC Interface Ping Utility',...

Nessus XMLRPC Interface Login Utility

This module simply attempts to login to a Nessus XMLRPC interface using a specific user/pass. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nessus XMLRPC Interface Login Utility', 'Descriptio...

Nessus NTP Login Utility

This module attempts to authenticate to a Nessus NTP service. nessusntplogin.rb This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nessus NTP Login Utility', 'Description' = 'This module attempts ...

SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Injection

This module makes use of the SXPGCALLSYSTEM Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework This module is...